Dynamically associating mobile devices with different logical networks implemented on a shared network fabric of a single entity

- VMware LLC

Some embodiments provide a novel method for dynamically associating mobile devices with different logical networks implemented on an entity's shared network fabric. At least two logical networks are implemented for at least two entity groups. At a first site, the method authenticates a mobile device and uses mobile device management (MDM) servers to identify an MDM group associated with the mobile device. The method uses the MDM group (1) to identify a first logical network over a shared network fabric at the first site to connect the mobile device to resources of the first site, and (2) to identify a logical network identifier (LNI) of a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site. The method inserts the LNI in an encapsulation header of data messages sent from the mobile device to resources at the second site.

Skip to: Description  ·  Claims  ·  References Cited  · Patent History  ·  Patent History
Description
BACKGROUND

At different physical sites of an entity (e.g., a corporation), data message flows of users' endpoints (e.g., wired and wireless devices) are not dynamically isolated from other data message flows of other users' endpoints based on user identity, user role within the entity, and endpoint identity. Methods and systems are needed for isolating traffic between different users of a shared network fabric of an entity.

BRIEF SUMMARY

Some embodiments provide a novel method for dynamically associating mobile devices with different software-defined wide area networks (SD-WANs) implemented for different user groups of a single shared network fabric of a single entity. The method identifies a particular mobile device that is trying to connect to a managed network switch. The method uses a set of one or more mobile device management (MDM) servers to identify a set of attributes associated with the particular mobile device attempting to access the shared network fabric. The method uses the identified set of attributes to identify an SD-WAN tenant identifier (ID) associated with a particular SD-WAN established for a group of devices including the particular mobile device. The method provides the SD-WAN tenant ID to the managed network switch to store in encapsulating headers that the managed network switch uses to encapsulate data message flows from the particular mobile device before forwarding the data message flows to one or more resources in the shared network fabric.

Some embodiments establish different SD-WANs for different user groups in order to isolate traffic between the different user groups. The managed network switch in some embodiments encapsulates different data message flows from different wired and wireless devices, including the particular mobile device, to forward the different data message flows to different resources in the shared network fabric. In some embodiments, the shared network fabric includes at least one of datacenter sites, branch sites, and cloud sites. The particular mobile device in some embodiments resides in a particular branch site of the shared network fabric. In some embodiments, the MDM server set resides in the particular branch site along with the particular mobile device. In these embodiments, the MDM server set performs operations for each mobile device in the particular branch site. In other embodiments, the MDM server set resides in a cloud site of the shared network fabric. In these embodiments, the MDM server set performs operations for mobile devices in one or more branch sites that do not include an MDM server set.

The method of some embodiments identifies the particular mobile device by identifying a media access control (MAC) address of the particular mobile device. In such embodiments, the method supplies the MAC address of the particular mobile device to the MDM server set in order to retrieve the set of attributes. In some embodiments, the set of attributes includes a user group ID associated with a particular user group to which the particular mobile device belongs. In such embodiments, the method supplies the MAC address of the particular mobile device to the MDM server set to identify the user group ID. The user group ID is in some embodiments further associated with a particular user of the particular mobile device.

In some embodiments, in identifying the particular mobile device, the method also identifies authentication credentials of a particular user of the particular mobile device. The authentication credentials in some embodiments include a username and password for the particular user. Unique usernames and passwords are associated with each user of the shared network fabric in order to authenticate each user. In some embodiments, before using the MDM server set to identify the set of attributes, the method authenticates the particular user using the username and password. In some embodiments, this is performed using an authentication server, which resides in the particular branch site or in the cloud site of the shared network fabric.

In some embodiments, the MDM server set maintains mappings between MAC addresses and user group IDs including a particular mapping between the MAC address of the particular mobile device and the user group ID associated with the particular user group to which the particular mobile device belongs. These mappings are stored in some embodiments in a local storage or memory of the MDM server set. The MDM server set in other embodiments associates the MAC address of the particular mobile device to the user group ID using a set of policies defined by a network administrator of the shared network fabric.

In some embodiments, the set of attributes also includes a user subgroup ID for a particular user subgroup of the particular user of the particular mobile device. In such embodiments, users are segmented into both groups and subgroups in order to further isolate traffic between users. The method of some embodiments uses the user subgroup ID to identify a virtual local area network (VLAN) tag for the particular user subgroup. This VLAN tag specifies a particular VLAN of the particular SD-WAN for the particular user subgroup.

The method of some embodiments provides, along with the SD-WAN tenant ID, the VLAN tag to the managed network switch to store in the encapsulating headers that the managed network switch uses to encapsulate the data message flows. In some embodiments, the managed network switch encapsulates the SD-WAN tenant ID and the VLAN tag in different encapsulating headers of the data message flows. In other embodiments, the managed network switch encapsulates the SD-WAN tenant ID and the VLAN tag in a same encapsulating header of the data message flows.

Some embodiments provide a novel method for dynamically associating mobile devices with different SD-WANs implemented on a shared network fabric of an entity. At least two different SD-WANs are implemented for at least two different groups of the entity. At a first site of the entity connected to a second site of the entity through the SD-WANs, the method identifies a particular mobile device that needs to connect to an SD-WAN. The method uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. The method uses the identified MDM group to identify a particular local area network (LAN) at the first site for the particular mobile device to connect to network resources of the first site that are connected to the particular LAN. The method uses the identified MDM group to identify a particular SD-WAN for the particular mobile device to use to connect to a second site to have access to a set of one or more network resources at the second site.

In some embodiments, using the identified MDM group to identify the particular LAN at the first site for the particular mobile device to connect to the network resources of the first site includes inserting in a first encapsulating header, which is used to send a first set of encapsulated data messages between the particular mobile device and the network resources of the first site, a LAN identifier associated with the LAN. By encapsulating data messages sent between the particular mobile device and the network resources of the first site with the LAN identifier, the data messages will be sent through the LAN. In some embodiments, the LAN identifier is inserted into encapsulating headers by an SD-WAN edge appliance operating at the first site to forward the encapsulated data message flows to the network resources of the first site.

Using the identified MDM group to identify the particular SD-WAN for the particular mobile device to use to connect to the second site in some embodiments includes inserting in a second encapsulating header, which is used to send a second set of encapsulated data messages between the particular mobile device and the set of network resources at the second site, an SD-WAN identifier associated with the particular SD-WAN. By encapsulating data messages sent between the particular mobile device and the set of network resources at the second site with the SD-WAN identifier, the data messages will be sent through the SD-WAN. In some embodiments, the SD-WAN identifier is inserted into encapsulating headers by an SD-WAN edge appliance operating at the first site to forward the encapsulated data message flows to an orchestration service operating at the second site. In some embodiments, the LAN identifier is different from the SD-WAN identifier. In other embodiments, the LAN identifier and the SD-WAN identifier are the same identifier.

The method of some embodiments is performed by a set of software-defined edge network (SDEN) servers implementing an SDEN control plane at the first site. In such embodiments, an SDEN management plane operates in the second site along with an orchestration service (e.g., a VeloCloud® orchestration service) to connect to the first site. In some embodiments, the network resources include one or more of servers (e.g., virtual machines (VMs), containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

At least two different SD-WANs are implemented for at least two different groups of the entity in some embodiments. These groups are in some embodiments different user groups of the entity. These groups in other embodiments are different device groups of the entity. The groups in other embodiments are a combination of user and device groups of the entity. The first site in some embodiments is a branch site of the entity, while the second site is a cloud site of the entity.

In some embodiments, the MDM group is identified by using the set of MDM servers to identify a device group to which the particular mobile device belongs. In such embodiments, the SDEN control plane provides the device's MAC address to the MDM server set to determine the device group. A device group is in some embodiments defined based on the device type, such as a first group for laptops, a second group for smartphones, a third group for tablets, etc.

In other embodiments, the SDEN control plane determines to which user group the user of the mobile device belongs. In such embodiments, the SDEN control plane provides the user's credentials to the MDM server set to determine the user group. The SDEN control plane of some embodiments also provides the device's MAC address along with the user's credentials to identify the user group. In some embodiments, a user group is a group of members of the entity that share a set of characteristics. The set of characteristics in some embodiments include at least one of a shared responsibility for the entity, a shared role within the entity, and a shared subgroup of the entity.

The particular LAN of some embodiments is a first logical network of several logical networks implemented at the first site for several different groups of mobile devices. These logical networks are implemented in some embodiments to isolate data message flows between the different groups.

Some embodiments provide a novel method for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity. At least two different logical networks are implemented for at least two different groups of the entity. At a first site of the entity, the method authenticates a particular mobile device. The method uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. The method uses the identified MDM group to identify a first logical network that is defined over a shared network fabric at the first site for the particular mobile device to connect to network resources of the first site that are connected to the first logical network. The method uses the identified MDM group to identify a logical network identifier (LNI) associated with a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site of the entity. The method inserts the LNI in an encapsulation header that encapsulates data messages sent from the particular mobile device to a set of one or more network resources at the second site.

The second logical network identified by the LNI in some embodiments (1) spans the first and second sites and (2) connects the particular mobile device at the first site to the set of one or more network resources at the second site. In some embodiments, the encapsulation header is a tunnel header used to send the data messages from the first edge gateway to the second edge gateway through a tunnel established between the first and second edge gateways. This tunnel connects the first and second sites so that the particular mobile device is able to access the set of network resources at the second site. Because the data messages sent from the particular mobile device are sent using a secure connection (i.e., a tunnel), the particular mobile device can be seen as in the same overlay network as the set of network resources in the second site.

In some embodiments, the LNI is inserted into the encapsulating header by a tier-0 (T0) router operating at the first site to forward the encapsulated data messages to an edge node (or another T0 router) at the second site. The first logical network in some embodiments also has an associated LNI. In some embodiments, the first logical network LNI is the same as the second logical network LNI, as the first and second logical networks are one network. In other embodiments, the first logical network LNI is different than the second logical network LNI, as the first and second logical networks are two different logical networks with the first logical network being a logical local area network (LAN) and the second logical network being a logical wide area network (WAN). The logical LAN spans only the first site, while the logical WAN spans at least the first and second sites.

The encapsulation header used to send the data messages from the first edge gateway to the second edge gateway is in some embodiments a first tunnel header, and the data messages sent to the second site are in some embodiments a first set of data messages. In such embodiments, the method also inserts the first logical network LNI in a second encapsulation header that encapsulates a second set of data messages sent from the particular mobile device to the network resources of the first site. The second encapsulation header is also a tunnel header used to send the second set of data messages through a tunnel or a secure connection in some embodiments.

The method of some embodiments is performed by a set of SDEN servers implementing an SDEN control plane at the first site. In such embodiments, an SDEN management plane operates in the second site along with a software-defined network (SDN) management plane, an SDN control plane, and an SDN edge gateway to connect to the first site. In some embodiments, the network resources include one or more of servers (e.g., VMs, containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

At least two different logical networks are implemented for at least two different groups of the entity in some embodiments. These groups are in some embodiments different user groups of the entity. These groups in other embodiments are different device groups of the entity. The groups in other embodiments are a combination of user and device groups of the entity. The first site in some embodiments is a branch site of the entity, while the second site is a cloud site of the entity.

In some embodiments, the particular mobile device is authenticated by receiving a set of authentication credentials from the particular mobile device and using the set of authentication credentials to authenticate the particular mobile device. The set of authentication credentials in some embodiments includes a username and password of a user of the particular mobile device. In some embodiments, the method directs an authentication server operating at the first site to authenticate the particular mobile device. In other embodiments, the method directs an authentication server operating at the second site to authenticate the particular mobile device by providing the set of authentication credentials to the authentication server.

In some embodiments, the MDM group is identified by using the set of MDM servers to identify a device group to which the particular mobile device belongs. In such embodiments, the SDEN control plane provides the device's MAC address to the MDM server set to determine the device group. A device group is in some embodiments defined based on the device type, such as a first group for laptops, a second group for smartphones, a third group for tablets, etc. In other embodiments, the SDEN control plane determines to which user group the user of the mobile device belongs. In such embodiments, the SDEN control plane provides the user's credentials to the MDM server set to determine the user group. The SDEN control plane of some embodiments also provides the device's MAC address along with the user's credentials to identify the user group.

The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all the embodiments described by this document, a full review of the Summary, Detailed Description, the Drawings, and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, Detailed Description, and Drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.

FIG. 1 illustrates a shared network fabric used by several users of a single entity to implement one or more SD-WANs for different user groups.

FIG. 2 conceptually illustrates a process of some embodiments for dynamically associating mobile devices with different SD-WANs implemented for different user groups of a single shared network fabric of a single entity.

FIG. 3 illustrates an example embodiment of an SD-WAN for connecting multiple branch sites of a particular entity to each other and to a controller and at least one datacenter hub.

FIG. 4 illustrates a physical topology of an example branch site.

FIG. 5 illustrates a more detailed physical topology of an example branch site.

FIG. 6 illustrates a logical topology for implementing a branch site in some embodiments.

FIG. 7 illustrates communication for a branch site for wired devices.

FIG. 8 illustrates communication for a branch site for wireless devices.

FIG. 9 illustrates a detailed physical topology of an example remote site.

FIG. 10 illustrates a logical topology for implementing a remote site in some embodiments.

FIG. 11 illustrates communication for a remote site for wired devices.

FIG. 12 illustrates communication for a remote site for wireless devices.

FIG. 13 conceptually illustrates a process of some embodiments for dynamically associating mobile devices with different SD-WANs on a shared network fabric of an entity.

FIG. 14 conceptually illustrates a process of some embodiments for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity.

FIG. 15 conceptually illustrates an electronic system with which some embodiments of the invention are implemented.

 DETAILED DESCRIPTION

In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

Some embodiments provide a novel method for dynamically associating mobile devices with different software-defined wide area networks (SD-WANs) implemented for different user groups of a single shared network fabric of a single entity. The method identifies a particular mobile device that is trying to connect to a managed network switch. The method uses a set of one or more mobile device management (MDM) servers to identify a set of attributes associated with the particular mobile device attempting to access the shared network fabric. The method uses the identified set of attributes to identify an SD-WAN tenant identifier (ID) associated with a particular SD-WAN established for a group of devices including the particular mobile device. The method provides the SD-WAN tenant ID to the managed network switch to store in encapsulating headers that the managed network switch uses to encapsulate data message flows from the particular mobile device before forwarding the data message flows to one or more resources in the shared network fabric.

Some embodiments establish different SD-WANs for different user groups in order to isolate traffic between the different user groups. The managed network switch in some embodiments encapsulates different data message flows from different wired and wireless devices, including the particular mobile device, to forward the different data message flows to different resources in the shared network fabric. In some embodiments, the shared network fabric includes at least one of datacenter sites, branch sites, and cloud sites. The particular mobile device in some embodiments resides in a particular branch site of the shared network fabric. In some embodiments, the MDM server set resides in the particular branch site along with the particular mobile device. In these embodiments, the MDM server set performs operations for each mobile device in the particular branch site. In other embodiments, the MDM server set resides in a cloud site of the shared network fabric. In these embodiments, the MDM server set performs operations for mobile devices in one or more branch sites that do not include an MDM server set.

The method of some embodiments identifies the particular mobile device by identifying a media access control (MAC) address of the particular mobile device. In such embodiments, the method supplies the MAC address of the particular mobile device to the MDM server set in order to retrieve the set of attributes. In some embodiments, the set of attributes includes a user group ID associated with a particular user group to which the particular mobile device belongs. In such embodiments, the method supplies the MAC address of the particular mobile device to the MDM server set to identify the user group ID. The user group ID is in some embodiments further associated with a particular user of the particular mobile device.

In some embodiments, the set of attributes also includes a user subgroup ID for a particular user subgroup of the particular user of the particular mobile device. In such embodiments, users are segmented into both groups and subgroups in order to further isolate traffic between users. The method of some embodiments uses the user subgroup ID to identify a virtual local area network (VLAN) tag for the particular user subgroup. This VLAN tag specifies a particular VLAN of the particular SD-WAN for the particular user subgroup.

The method of some embodiments provides, along with the SD-WAN tenant ID, the VLAN tag to the managed network switch to store in the encapsulating headers that the managed network switch uses to encapsulate the data message flows. In some embodiments, the managed network switch encapsulates the SD-WAN tenant ID and the VLAN tag in different encapsulating headers of the data message flows. In other embodiments, the managed network switch encapsulates the SD-WAN tenant ID and the VLAN tag in a same encapsulating header of the data message flows.

Some embodiments provide a novel method for dynamically associating mobile devices with different SD-WANs implemented on a shared network fabric of an entity. At least two different SD-WANs are implemented for at least two different groups of the entity. At a first site of the entity connected to a second site of the entity through the SD-WANs, the method identifies a particular mobile device that needs to connect to an SD-WAN. The method uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. The method uses the identified MDM group to identify a particular local area network (LAN) at the first site for the particular mobile device to connect to network resources of the first site that are connected to the particular LAN. The method uses the identified MDM group to identify a particular SD-WAN for the particular mobile device to use to connect to a second site to have access to a set of one or more network resources at the second site.

In some embodiments, using the identified MDM group to identify the particular LAN at the first site for the particular mobile device to connect to the network resources of the first site includes inserting in a first encapsulating header, which is used to send a first set of encapsulated data messages between the particular mobile device and the network resources of the first site, a LAN identifier associated with the LAN. By encapsulating data messages sent between the particular mobile device and the network resources of the first site with the LAN identifier, the data messages will be sent through the LAN. In some embodiments, the LAN identifier is inserted into encapsulating headers by an SD-WAN edge appliance operating at the first site to forward the encapsulated data message flows to the network resources of the first site.

Using the identified MDM group to identify the particular SD-WAN for the particular mobile device to use to connect to the second site in some embodiments includes inserting in a second encapsulating header, which is used to send a second set of encapsulated data messages between the particular mobile device and the set of network resources at the second site, an SD-WAN identifier associated with the particular SD-WAN. By encapsulating data messages sent between the particular mobile device and the set of network resources at the second site with the SD-WAN identifier, the data messages will be sent through the SD-WAN. In some embodiments, the SD-WAN identifier is inserted into encapsulating headers by an SD-WAN edge appliance operating at the first site to forward the encapsulated data message flows to an orchestration service operating at the second site. In some embodiments, the LAN identifier is different from the SD-WAN identifier. In other embodiments, the LAN identifier and the SD-WAN identifier are the same identifier.

The method of some embodiments is performed by a set of software-defined edge network (SDEN) servers implementing an SDEN control plane at the first site. In such embodiments, an SDEN management plane operates in the second site along with an orchestration service (e.g., a VeloCloud® orchestration service) to connect to the first site. In some embodiments, the network resources include one or more of servers (e.g., virtual machines (VMs), containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

The particular LAN of some embodiments is a first logical network of several logical networks implemented at the first site for several different groups of mobile devices. These logical networks are implemented in some embodiments to isolate data message flows between the different groups.

Some embodiments provide a novel method for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity. At least two different logical networks are implemented for at least two different groups of the entity. At a first site of the entity, the method authenticates a particular mobile device. The method uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. The method uses the identified MDM group to identify a first logical network that is defined over a shared network fabric at the first site for the particular mobile device to connect to network resources of the first site that are connected to the first logical network. The method uses the identified MDM group to identify a logical network identifier (LNI) associated with a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site of the entity. The method inserts the LNI in an encapsulation header that encapsulates data messages sent from the particular mobile device to a set of one or more network resources at the second site.

The second logical network identified by the LNI in some embodiments (1) spans the first and second sites and (2) connects the particular mobile device at the first site to the set of one or more network resources at the second site. In some embodiments, the encapsulation header is a tunnel header used to send the data messages from the first edge gateway to the second edge gateway through a tunnel established between the first and second edge gateways. This tunnel connects the first and second sites so that the particular mobile device is able to access the set of network resources at the second site. Because the data messages sent from the particular mobile device are sent using a secure connection (i.e., a tunnel), the particular mobile device can be seen as in the same overlay network as the set of network resources in the second site.

In some embodiments, the LNI is inserted into the encapsulating header by a tier-0 (T0) router operating at the first site to forward the encapsulated data messages to an edge node (or another T0 router) at the second site. The first logical network in some embodiments also has an associated LNI. In some embodiments, the first logical network LNI is the same as the second logical network LNI, as the first and second logical networks are one network. In other embodiments, the first logical network LNI is different than the second logical network LNI, as the first and second logical networks are two different logical networks with the first logical network being a logical local area network (LAN) and the second logical network being a logical wide area network (WAN). The logical LAN spans only the first site, while the logical WAN spans at least the first and second sites.

The encapsulation header used to send the data messages from the first edge gateway to the second edge gateway is in some embodiments a first tunnel header, and the data messages sent to the second site are in some embodiments a first set of data messages. In such embodiments, the method also inserts the first logical network LNI in a second encapsulation header that encapsulates a second set of data messages sent from the particular mobile device to the network resources of the first site. The second encapsulation header is also a tunnel header used to send the second set of data messages through a tunnel or a secure connection in some embodiments.

The method of some embodiments is performed by a set of SDEN servers implementing an SDEN control plane at the first site. In such embodiments, an SDEN management plane operates in the second site along with a software-defined network (SDN) management plane, an SDN control plane, and an SDN edge gateway to connect to the first site. In some embodiments, the network resources include one or more of servers (e.g., VMs, containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

FIG. 1 illustrates a shared network fabric 100, used by several users of a single entity, to implement one or more SD-WANs 110 for different user groups. The shared network fabric 100 includes, in some embodiments, one or more datacenter sites 120, one or more branch sites 130, and a cloud 140. The datacenter sites 120 and branch sites 130 can each reside in a different geographic location (also referred to as a physical site).

The datacenter sites 120 and the branch sites 130 in some embodiments each include a set of resources, which may include servers, hosts, routers, switches, and/or other physical or logical elements (e.g., VM, containers, etc.). The resources may communicate with resources of other branches and/or other resources outside of their own site through forwarding elements (e.g., edge nodes, gateways, etc.). A datacenter forwarding node is referred to as a hub node because in some embodiments this forwarding node can be used to connect (e.g., through a virtual private network (VPN) tunnel) to other edge forwarding nodes of the branch sites 130. A hub node in some embodiments provides services (e.g., middlebox services) for data messages that it forwards from one branch site to another branch site. A hub node in some embodiments also provides access to the datacenter's resources.

In some embodiments, the cloud 140 spans each physical site of the datacenter sites 120 and branch sites 130. In this example, the shared network fabric 100 includes one cloud 140. However, in other embodiments, the shared network fabric 100 includes multiple clouds. The cloud 140 of some embodiments includes a set of one or more cloud resources, such as a cloud gateway (CGW). The CGW in some embodiments connects the datacenter sites 120 and branch sites 130 (e.g., using VPN tunnels).

In some embodiments, one branch site 130 includes a set of one or more mobile devices 150, a secure wireless access point (WAP) 155, a network fabric 160 including a managed wireless network (MWN) switch 165, a set of one or more SDN servers 170, a set of one or more SDEN servers 175, an authentication server 180, a set of one or more mobile device management (MDM) servers 185, a set of compute management/configuration servers 190, and a set of one or more machines 195 executing on a set of one or more host computers 197. Each branch site 130 can include any number of each of these components. In other embodiments, different branch sites include at least a subset of the components 150-197. The compute management/configuration server set 190 in some embodiments manages and configures the machines 195 executing on the hosts 197. The machines 195 can include one or more of VMs, containers, pods, etc.

In some embodiments, the SDN server set 170 includes one or more managers and/or one or more controllers responsible for configuring the network fabric 160 of the branch site, including the managed wireless network switch 165. The managed wireless network switch 165 is in some embodiments a hardware switch, and, in other embodiments, is a software or virtual switch. In some embodiments, it is a wired switch connected by a physical link to the secure WAP 155. In other embodiments, it is a wireless switch connected, e.g., by a secure tunnel, to the secure WAP 155.

The shared network fabric 100 is used by several users of a single entity. For example, the shared network fabric 100 in some embodiments is used by employees of a single enterprise or corporation. In order to isolate traffic of different user groups (e.g., of different departments of the corporation), the shared network fabric 100 in some embodiments implements a different SD-WAN 110 for each user group that uses the shared network fabric 100. Any number of SD-WANs may be created for any number of user groups. In some embodiments, one SD-WAN is created for each user group. In other embodiments, at least one user group has multiple SD-WANs created for it.

In some embodiments, each device of each user in a user group is associated with a tenant identifier (ID). For instance, each device associated with a first SD-WAN is associated with a first set of one or more tenant IDs for the first SD-WAN, while each device associated with a second SD-WAN is associated with a second set of one or more tenant IDs for the second SD-WAN. In some embodiments, each user and each device for a particular user group is associated with the same tenant ID for the SD-WAN of the user group. In other embodiments, different tenant IDs are associated with the different users, meaning that all devices of a particular user are associated with a user-specific tenant ID for the SD-WAN of the user group. Still, in other embodiments, different tenant IDs are associated with different types of devices, meaning that each different type of device (e.g., desktop computer, laptop computer, mobile phone, etc.) of one user is associated with a different tenant ID for one SD-WAN of the user group. In such embodiments, the same type of device for different users is associated with the same tenant ID in some embodiments, while, in other embodiments, same-type devices of different users are associated with different tenant IDs.

To associate user devices with an SD-WAN, some embodiments use a set of SDEN servers 175. As shown, the SDEN server set 175 of some embodiments is deployed in a branch site 130. An SDEN server set 175 of some embodiments allows for users of the shared network fabric 100 to be automatically recognized based on user and/or device identity and added to the correct SD-WAN. For example, a mobile device 150 sends a request to access the shared network fabric 100 to the secure WAP 155. The secure WAP 155 verifies a signature of the mobile device 150. In some embodiments, the secure WAP 155 verifies the signature of a particular application used by the mobile device to provide user credentials (e.g., a username and password). Once the secure WAP 155 verifies the mobile device's signature, the secure WAP 155 instantiates a secure (e.g., encrypted) channel between the secure WAP 155 and the mobile device 150 to collect user attributes, such as the user's ID, a password, and/or a media access control (MAC) address of the mobile device. In some embodiments, the collected MAC address is the source MAC address of the mobile device 150.

Then, the secure WAP 155 sends the collected user attributes to the SDEN server set 175 through the managed wireless network switch 165. Using the user's attributes, the SDEN server set 175 authenticates the user using the authentication server 180. In some embodiments, the authentication server 180 is a Remote Authentication Dial-In User Service (RADIUS) server. Once the user has been authenticated, the SDEN server set 175 supplies the collected user attributes (e.g., the user ID and/or MAC address) to the MDM server set 185. In some embodiments, an MDM server set is deployed in each branch site 130. In other embodiments, one MDM server set is deployed in the cloud 140 for each branch site 130. Still, in other embodiments, a subset of branch sites deploy their own MDM server set, while another subset of branch sites use an MDM server set in the cloud 140.

The MDM server set 185 in some embodiments provides one or more MDM attributes for the mobile device 150, the user (of the mobile device), and/or application (executing on the mobile device) requesting access to the shared network fabric 100. The MDM server set 185 in some embodiments is the server set that also provisions mobile devices for accessing the resources of the shared network fabric 100. Provisioning in different embodiments involves different combinations of the following operations: (1) adding the mobile device's identifier to a list of mobile devices that can have remote access, (2) adding a user identifier to identify one or more users that can have remote access through the mobile device, (3) providing VPN access software and/or settings to the mobile device so that the mobile device can set up secure VPN remote access with the datacenter, and (4) defining tenant information, like corporation identifier, user entitlements, etc.

After receiving the user attributes, the MDM server set 185 of some embodiments determines one or more user group attributes of a particular user group to which the user of the mobile device 150 belongs. In some embodiments, the MDM server set 185 maintains mappings between user attributes and user group attributes. The MDM server set 185 of some embodiments maintains mappings between MAC addresses of devices 150 and user group IDs. These mappings are stored in a local storage or memory of the MDM server set 185, in some embodiments. The MDM server set 185 of some embodiments associates user attributes (e.g., MAC addresses) to user group attributes (e.g., user group IDs) using a set of policies defined by a network administrator of the shared network fabric 100.

The SDEN server set 175 receives one or more user group attributes from the MDM server set 185. For example, the SDEN server set 175 of some embodiments receives a user group ID corresponding to the particular department of the corporation to which the user of the mobile device 150 belongs. Using the obtained user group attributes, the SDEN server set 175 identifies a tenant ID for the user and/or the user group. This tenant ID specifies which SD-WAN 110 the user should be placed. After identifying the tenant ID, the SDEN server set 175 provides the SD-WAN tenant ID to the managed wireless network switch 165. Then, the managed wireless network switch 165 encapsulates communications sent from the mobile device 150 through the secure WAP 155 with the tenant ID (e.g., in an encapsulating header) to forward to other resources in the branch site 130, a datacenter site 120, other branch sites, or the cloud 140.

FIG. 2 conceptually illustrates a process 200 of some embodiments for dynamically associating mobile devices with different SD-WANs implemented for different user groups of a single shared network fabric of a single entity (e.g., a corporation). The process 200 of some embodiments is performed by a set of one or more SDEN severs operating in a branch site for a particular mobile device at the branch site. In some embodiments, the process 200 is performed after a secure WAP has received a request for access to a shared network fabric from the particular mobile device, and collected user and/or device attributes from the particular mobile device, such as a MAC address of the particular mobile device and a username and password of a particular user using the particular mobile device.

The process 200 begins by receiving (at 205) a set of user/device attributes for the particular user using the particular mobile device to request access to a shared network fabric of an entity. In some embodiments, the SDEN server set receives a MAC address of the particular mobile device, and authentication credentials (e.g., a username and password) for the particular user from a managed wireless network switch in the branch site. The managed wireless network switch in some embodiments receives these attributes from a secure WAP that enables communication between the particular mobile device and the managed wireless network switch.

Next, the process 200 determines (at 210) whether the particular user is allowed to access the shared network fabric. In some embodiments, the shared network fabric is only able to be accessed by authorized users (i.e., employees or authorized guests) of the corporation. In such embodiments, the SDEN server set uses an authentication server (e.g., a RADIUS server) to authenticate the user's authentication credentials. If the process 200 determines that the particular user is not allowed to access the shared network fabric, the process 200 denies (at 215) access of the particular mobile device to the shared network fabric, and the process 200 ends. In some embodiments, the SDEN server set sends a notification of access denial to the managed wireless network switch, which provides the notification to the particular mobile device through the secure WAP.

If the process 200 determines that the particular user is allowed to access the shared network fabric, the process 200 supplies (at 220) the received user/device attributes to an MDM server set. In some embodiments, the MDM server set resides in the same branch site as the SDEN server set and the particular mobile device. In other embodiments, the MDM server set resides in a cloud site of the shared network fabric. The SDEN server set of some embodiments provides the particular mobile device's MAC address to the MDM server set in order to determine the user group to which the particular user group belongs. In other embodiments, the SDEN server set also provides the particular user's authentication credentials to determine the user group.

At 225, the process 200 receives one or more user group attributes for a particular user group to which the particular user belongs. The SDEN server set receives, from the MDM server set, an ID corresponding to the user group (e.g., the department of the corporation) to which the particular user belongs. In some embodiments, the MDM server set maintains a mapping table mapping device MAC addresses to user group IDs. For example, if the particular mobile device belonging to the particular user is part of a finance department of the corporation, the MDM server set maintains a mapping between the particular mobile device's MAC address and an ID identifying the finance department.

After receiving the one or more user group attributes, the process 200 uses (at 230) the received user group attributes to identify an SD-WAN tenant ID for the particular user group specifying a particular SD-WAN belonging to the particular user group. After receiving identification of the particular user's user group, the SDEN server set identifies the SD-WAN for the user group by identifying a tenant ID for the user group. In some embodiments, the same tenant ID is used for all users of the user group. In other embodiments, a set of tenant IDs is used for the user group such that at least two different users of the user group have their own unique tenant ID.

Lastly, the process 200 provides (at 235) the identified SD-WAN tenant ID to the managed wireless network switch to encapsulate data message flows, sent from the particular mobile device to other resources in the shared network fabric, with the SD-WAN tenant ID. After identifying the SD-WAN tenant ID for the particular user group (and, therefore, for the particular user), the SDEN server set provides it to the managed wireless network switch. The managed wireless network switch of some embodiments encapsulates each data message sent from the particular mobile device with an encapsulating header that includes the SD-WAN tenant ID so that all data message flows sent by the particular mobile device are sent through the correct SD-WAN.

In some embodiments, the managed wireless network switch stores the SD-WAN tenant ID in a local storage or memory. For example, the managed wireless network switch of some embodiments maintains, in a local storage, a mapping table that includes mappings between each mobile device it exchanges data message flows for and the tenant ID associated with each mobile device. After providing the SD-WAN tenant ID to the managed wireless network switch, the process 200 ends.

In some embodiments, a mobile device requesting access to a shared network fabric does not belong to a user group with an already established SD-WAN. In such embodiments, the SDEN server set creates a new SD-WAN tenant ID for the user group to create a new SD-WAN for the group. In other embodiments, the mobile device does not belong to any user group. In these embodiments, the MDM server set creates a new user group ID for the user and sends the new user group ID to the SDEN server set. Then, the SDEN server set creates a new SD-WAN tenant ID for the new user group ID to establish a new SD-WAN for the new user group.

In addition to dynamically associating mobile devices with different SD-WANs implemented for different user groups of a single shared network fabric of a single entity, some embodiments associate mobile devices with different virtual local area networks (VLANs) within each SD-WAN for different user subgroups of the shared network fabric in order to further segment each SD-WAN. In such embodiments, the SDEN server set receives, from the MDM server set, (1) user group attributes in order to determine the correct SD-WAN and (2) user subgroup attributes in order to determine the correct VLAN of the SD-WAN.

Using the user group attributes, the SDEN server set determines an SD-WAN tenant ID for the user group. Using the user subgroup attributes, the SDEN server set determines a VLAN tag for the user subgroup. In some embodiments, the SDEN server set also determines an Internet Protocol (IP) subnet for the user subgroup and assigns an IP address from that subnet to the mobile device. Then, the SDEN server set provides the SD-WAN tenant ID, the VLAN tag, and the assigned IP address to the managed wireless network switch for forwarding flows sent from the mobile device to other resources. In some embodiments, the managed wireless network switch places both the tenant ID and VLAN tag in a single encapsulating header of each data message sent from the mobile device. In other embodiments, the managed wireless network switch places the tenant ID and VLAN tag in separate encapsulating headers of each data message sent from the mobile device. Even as the mobile device moves to different branch sites and to different physical locations, the assigned SD-WAN tenant ID, VLAN tag, and IP subnet remains the same.

As discussed previously, different user groups of an entity (e.g., a corporation) are associated with different SD-WANs of a shared network fabric in order to isolate traffic between each user group. An SD-WAN can include any number of branch sites, datacenter sites, and cloud sites of the shared network fabric. Different SD-WANs in some embodiments include different sites located in different geographic locations. For example, a first SD-WAN for an engineering department of some embodiments includes sites in a first set of geographic locations, while a second SD-WAN for a legal department includes sites in a second set of geographic locations. The first and second sets of geographic locations in some embodiments include at least one same geographic site.

FIG. 3 illustrates an example embodiment of an SD-WAN 300 (also referred to herein as a virtual network) for connecting multiple branch sites of a particular entity to each other and to a controller and at least one datacenter hub. As shown, the SD-WAN 300 includes a controller 310, three branch sites 320-324 that each include an edge forwarding node 330-334 (also referred herein as edge nodes or nodes) and resources 336-338, a cloud gateway 340, and a datacenter 350 with a hub 345.

The edge nodes in some embodiments are edge machines (e.g., VMs, containers, programs executing on computers, etc.) and/or standalone appliances that operate at multi-computer locations of the particular entity (e.g., at an office or datacenter of the entity) to connect the computers at their respective locations to other nodes, hubs, etc. in the virtual network. In some embodiments, the edge nodes are clusters of nodes at each of the branch sites. In other embodiments, the edge nodes are deployed to each of the branch sites as high-availability pairs such that one edge node in the pair is the active node and the other edge node in the pair is the standby node that can take over as the active edge node in case of failover.

Each edge node 330-334 in some embodiments includes one or more of edge appliances, broadband routers, and customer edge (CE) routers. In such embodiments, each edge node includes multiple components, and connects to each other site (branch sites, 320-324, datacenter 350, and cloud gateway 340) through one or more links. These multiple links in some embodiments include LAN links connecting to resources within the branch site and/or WAN links connecting to the other sites.

In some embodiments, each edge node, hub, and cloud gateway in an SD-WAN (such as the edge nodes 330-334, the datacenter hub 345, and the cloud gateway 340 of the SD-WAN 300) includes a router that performs the data message forwarding operations of the edge node, hub, or cloud gateway. In such embodiments, the next-hop forwarding records of these edge nodes, hubs, and cloud gateways are routing records used by the routers to forward data messages through the SD-WAN.

Each edge node 330-334 in some embodiments connects to an external network through two or more forwarding devices (e.g., an MPLS (multiprotocol label switching) device, a cable modem router, a 5G router) of two or more communication service providers (e.g., a telephone company provider of an MPLS network, a cable modem provider of an ISP (Internet Service Provider), a wireless provider for the 5G connectivity). In some of these embodiments, each edge node 330-334 connects to the forwarding devices of the service providers through two or more physical ports of the edge node.

An example of an entity for which such a virtual network can be established includes a business entity (e.g., a corporation), a non-profit entity (e.g., a hospital, a research organization, etc.), an education entity (e.g., a university, a college, etc.), or any other type of entity. In some embodiments, multiple virtual networks are established for a single entity. For example, for a business entity in some embodiments, a first SD-WAN is established for an engineering department of the business entity, a second SD-WAN is established for a finance department of the business entity, a third SD-WAN is established for a legal department of the business entity, etc. In some embodiments, each of these different SD-WANs differs from each other.

For example, the first SD-WAN for the engineering department in some embodiments connects two of the business entity's branch sites and a datacenter site (i.e., the first SD-WAN includes the edge nodes of the two branch sites along with the cloud gateway and the datacenter hub), while the second SD-WAN for the finance department connects all of the business entity's branch sites and not the datacenter site (i.e., the SD-WAN includes the edge nodes of all branch sites along with the cloud gateway). In such embodiments, when a wireless device used by a particular user belonging to a particular department requests to connect to an SD-WAN of the business entity, the wireless device is placed in the correct SD-WAN corresponding to the user's particular department.

Examples of public cloud providers include Amazon Web Services® (AWS), Google Cloud Platform™ (GCP), Microsoft Azure®, etc., while examples of entities include a company (e.g., corporation, partnership, etc.), an organization (e.g., a school, a non-profit, a government entity, etc.), etc. In other embodiments, hubs like the hub 345 can also be deployed in private cloud datacenters of a virtual WAN provider that hosts hubs to establish SD-WANs for different entities.

In the example SD-WAN 300, the hub 345 is a multi-tenant forwarding element that is deployed on the premises of the datacenter 350. The hub 345 can be used to establish secure connection links (e.g., tunnels) with edge nodes at the particular entity's multi-computer sites, such as branch sites 320-324, third-party datacenters (not shown), etc. For example, the hub 345 can be used to provide access from each branch site 320-324 to each other branch site 320-324 (e.g., via the connection links 360 that terminate at the hub 345) as well as to the resources 355 of the datacenter 350. These multi-computer sites are often at different physical locations (e.g., different buildings, different cities, different states, etc.), according to some embodiments. In some embodiments, hubs can be deployed as physical nodes or virtual nodes. Additionally, hubs in some embodiments can be deployed on a cloud (e.g., as a set of virtual edges configured as a cluster).

In the SD-WAN 300, the hub 345 also provides access to the resources 355 of the datacenter 350 as mentioned above. The resources 355 in the datacenter 350 and the resources 336-338 in the branch sites 320-324 in some embodiments include a set of one or more servers (e.g., web servers, database servers, etc.) within a microservices container (e.g., a pod). Conjunctively, or alternatively, some embodiments include multiple such microservices containers, each accessible through a different set of one or more hubs of the datacenter (not shown). The resources, as well as the hubs, are within the datacenter premises, according to some embodiments. While not shown, some embodiments include multiple different Software-as-a-Service (SaaS) datacenters, which may each be accessed via different sets of hubs, according to some embodiments. In some embodiments, the SaaS datacenters include datacenters for video conferencing SaaS providers, for middlebox (e.g., firewall) service providers, for storage service providers, etc.

Additional examples of resources 355 in the datacenter 350 and resources 336-338 in the branch sites 320-324, in some embodiments, include compute machines (e.g., virtual machines and/or containers providing server operations), storage machines (e.g., database servers), and middlebox service operations (e.g., firewall services, load balancing services, encryption services, etc.). Within each branch site 320-324, edge nodes in some embodiments connect to their resources using links, which are the LANs within the branch site. In some embodiments, the connections 360 between the branch sites 320-324 and the hub 345 are secure encrypted connections that encrypt data messages exchanged between the edge nodes 330-334 of the branch sites 320-324 and the hub 345. Examples of secure encrypted connections used in some embodiments include VPN (virtual private network) connections, or secure IPsec (Internet Protocol security) connections.

In some embodiments, multiple secure connection links (e.g., multiple secure tunnels) can be established between an edge node and the hub 345. When multiple such links are defined between a node and a hub, each secure connection link, in some embodiments, is associated with a different physical network link between the node and an external network. For instance, to access external networks in some embodiments, a node has one or more commercial broadband Internet links (e.g., a cable mode and a fiber optic link) to access the Internet, a wireless cellular link (e.g., a 5G LTE network), etc. The collection of the edge nodes, gateway, datacenter hub, controller, and secure connections between the edge nodes, gateway, datacenter hub, and controller form the SD-WAN 300.

The controller 310 of some embodiments communicates with each of the nodes 330-334 at the branch sites 320-324 to assign a tenant ID to the SD-WAN 300. While illustrated as individual connection links, the links 370A-370E are sets of multiple connection links, according to some embodiments. In addition to the connection links 370A-370E and 360, edge nodes 332 and 334 are connected via connection link 364, while edge nodes 330 and 332 are connected to the gateway 340 via connection links 362. The gateway 340 in this example is responsible for relaying information between edge nodes (e.g., edge nodes 330 and 332, which do not share a direct connection). Also, the gateway 340 in some embodiments is used to set up direct edge-to-edge connections. In some embodiments, the gateway 340 can be used to provide the edge nodes with access to cloud resources (e.g., compute, storage, and service resources of a cloud datacenter).

FIG. 4 illustrates an example branch office 400 and its physical components. In this example, the branch office 400 includes a business office 410 and an outdoor lounge 420. The branch office 410 includes wireless devices 411, wired devices 412, guest Wi-Fi 413, one or more indoor access points 414, and a network switch 415. The outdoor lounge 420 includes wireless devices 421, wired devices 422, and outdoor access points 423.

The wireless devices 411 and 421 in some embodiments include wireless mobile devices of users in the branch office 400, such as laptops, mobile phones, tablets, etc. The wireless devices 411 and 421 also include, in some embodiments, shared wireless devices, such as a thermostat for the business office 410. In some embodiments, the wired devices 412 inside the business office 410 include devices used by individual users in the branch office 400, such as desktop computers. The wired devices 412 in some embodiments include wired devices used by one or more users inside the business office 410, such as servers, printers, televisions, projectors, and desk phones. The wired devices 422 in the outdoor lounge 420 in some embodiments include wired devices used by one or more users in the outdoor lounge 420, such as security cameras.

The wireless devices 411 inside the business office 410 connect to one or more indoor access points 414. In some embodiments, all wireless devices 411 connect to the same indoor access point. In other embodiments, a first subset of the wireless devices 411 connect to a first indoor access point, while a second subset of the wireless devices 411 connect to a second indoor access point. The guest Wi-Fi 413 also connects to one of the indoor access points 414. By connecting to the indoor access points 414, the wireless devices 411 and guest Wi-Fi 413 can communicate with the network switch 415.

The wired devices 412 of some embodiments connect directly to the network switch 415. The network switch 415 connects to a modem 430 in order to connect to the Internet 440. The network switch 415 allows the wireless devices 411, wired devices 412, and guest Wi-Fi 413 to exchange data message flows with other branch sites through the Internet 440.

The wireless devices 421 out in the outdoor lounge 420 connect to one or more outdoor access points 423. In some embodiments, all wireless devices 421 connect to the same outdoor access point. In other embodiments, a first subset of the wireless devices 421 connect to a first outdoor access point, while a second subset of the wireless devices 421 connect to a second outdoor access point. By connecting to the outdoor access points 423, the wireless devices 421 can communicate with the network switch 415. The wired devices 422 of some embodiments connect directly to the network switch 415. The network switch 415 allows the wireless devices 421 and wired devices 422 to exchange data message flows with other branch sites through the Internet 440.

All of the wireless devices 411 and 421 and the wired devices 412 and 422 are in some embodiments part of one or more SD-WANs established for the branch office's entity. For instance, a first wireless device of the business office wireless devices 411 is in some embodiments part of a first SD-WAN, while a second wireless device of the business office wireless devices 411 is part of a second SD-WAN. While both devices reside in the same physical location (i.e., the same branch site 400), they may be in different virtual networks based on the identity of the user using that device.

FIG. 5 illustrates another example branch site 500 with a more detailed physical topology. In this example, the branch site 500 communicates with one or more datacenter sites and one or more cloud sites 502 through an SD-WAN edge appliance 510. In some embodiments, the SD-WAN edge appliance 510 operates as a standalone computer. In other embodiments, it runs as a software edge node on a host computer in the branch site 500. In some embodiments, the SD-WAN edge appliance 510 includes a router that performs the data message forwarding operations of the SD-WAN edge appliance. In such embodiments, the next-hop forwarding records of the SD-WAN edge appliance 510 are routing records used by the router to forward data messages to the datacenter sites and clouds 502.

In some embodiments, the SD-WAN edge appliance 510 includes two or more edge devices, with each edge device connected to the datacenter sites and clouds 502 through different communication service providers (e.g., an MPLS device, a cable modem router, a 5G router, etc.). In some of these embodiments, the edge devices of the SD-WAN edge appliance 510 connect to each other using a physical cable link.

The branch site 500 also communicates with the Internet 504. Data message flows received from the datacenter sites and cloud sites 502 (through the SD-WAN edge appliance 510) and the Internet 504 are sent through one or more firewall processes 515. In some embodiments, one or more cloud sites 502 include one or more MDM servers (not shown) for use by the branch site 500.

After being processed by the firewall processes 515, allowed data message flows are sent to a Tier-0 (T0) router 520 of the branch site 500, and then to a core switch 530. The core switch 530 is connected to a wireless access controller 535. In some embodiments, the wireless access controller 535 configures the WAP 553 and controls policies used by the WAP 553. In such embodiments, the wireless access controller 535 sends WAP policies to the WAP 553 through the core switch 530. Any number of WAPs may execute in the branch site 500.

The core switch 530 connects to a rack switch 540, a managed wireless network switch 550, and an access switch 560 that connect to different types of endpoints in the branch site 500 and are configured by SDN servers (e.g., SDN managers and controllers) (not shown) operating at the branch site 500. The rack switch 540 connects to one or more servers 545. The managed wireless network switch 550 connects to a WAP 553, which provides communication between the managed wireless network switch 550 and wireless devices 555 at the branch site 500. The access switch 560 is a managed wired network switch (i.e., a switch that is managed by a set of SDN managers and controllers and that has physical ports for receiving Ethernet cables) that connects to the wired devices 565 at the branch site 500. The core switch 530 enables all endpoints 545, 555, and 565 to exchange data message flows with each other and with resources outside the branch site 500 (e.g., resources residing at the datacenter sites and clouds 502 and resources reachable over the Internet 504).

All of the wireless devices 555 and the wired devices 565 are in some embodiments part of one or more SD-WANs established for the branch office's entity. For instance, a first wireless device is in some embodiments part of a first SD-WAN, while a second wireless device is part of a second SD-WAN. While both devices reside in the same physical location (i.e., the same branch site 500), they may be in different virtual networks based on the identity of the user using that device.

FIG. 6 illustrates a logical topology for implementing a branch site in some embodiments. In this example, a branch site 610 includes a set of one or more endpoints 611, a set of one or more infrastructure switches 612, a router 613, a T0 router 614, an edge appliance 615, and an SDEN control plane 616. A cloud 620 includes an SDN edge node 621, an SDN control plane 622, an SDN management plane 623, an orchestration service 624, an authentication server 625, a data store 626, an MDM server 627, and an SDEN management plane 628.

In the branch site 610, the endpoints 611 include one or more of wireless devices and wired devices used by users in the branch site 610 (e.g., employees of the corporation at the branch site location). The endpoints 611 connect to the infrastructure switches 612. The infrastructure switches 612 are in some embodiments a set of managed switches configured by SDN servers (e.g., SDN managers and controllers) (not shown) operating at the branch site 610. The infrastructure switches 612 include in some embodiments, an MWN switch (e.g., through a secure WAP), a rack switch, an access switch (i.e., a managed wired network switch), and/or a core switch (such as the switches 530, 540, 550, and 560 in FIG. 5). In some embodiments, the endpoints 611 are placed in an SD-WAN based on the endpoint's MAC address and/or the user's group identity (e.g., the user's responsibility and role within the corporation). User group identities are maintained by the MDM server 627 in the cloud.

The infrastructure switches 612 communicate with the SDEN control plane 616, which includes a cluster of one or more SDEN controllers for dynamically associating the endpoints 611 with different SD-WANs implemented for different user groups. For instance, an MWN switch of the infrastructure switches 612 in some embodiments requests the SDEN control plane 616 to retrieve MDM attributes (e.g., SD-WAN tenant IDs) from the MDM server 627 in the cloud 620. The SDEN control plane 616 provides the MDM attributes to the MWN switch for the MWN switch to embed them (e.g., encapsulate) them onto data message flows sent by wireless devices of the endpoints 611. As another example, an access switch (e.g., a managed wired network switch) of the infrastructure switches 612 in some embodiments requests the SDEN control plane 616 to retrieve MDM attributes (e.g., SD-WAN tenant IDs) from the MDM server 627 in the cloud 620. The SDEN control plane 616 provides the MDM attributes to the access switch for the access switch to embed them (e.g., encapsulate) them onto data message flows sent by wired devices of the endpoints 611.

In some embodiments, the SDEN control plane 616 allows for communications between the MDM server 627 and the SDN components 621-623. The SDEN control plane 616 communicates with the authentication server 625 in the cloud 620 to authenticate a user of one or more endpoints 611. The SDEN control plane 616 and authentication server 625 in some embodiments operate similarly to the SDEN servers 175 and authentication server 180 of FIG. 1, respectively.

The authentication server 625 uses user identity information stored in the data store 626 to authenticate a user. In some embodiments, the data store 626 is a directory server (e.g., an Active Directory (AD) offered by Microsoft® Corporation) that stores directory service information, such as user and device information. The data store 626 is in some embodiments a centralized and hierarchical database. The authentication server 625 of some embodiments uses a protocol (e.g., Lightweight Directory Access Protocol (LDAP)) to access the data store 626.

The SDEN control plane 616 is managed by the SDEN management plane 628 residing in the cloud 620. In some embodiments, the SDEN management plane 628 includes a cluster of one or more management servers that manage the SDEN control plane 616 based on configuration data received from a network administrator. In some embodiments, the SDEN management plane 628 also manages the data store 626 and the MDM server 627. In the cloud 620, the SDN management plane 623 manages the SDN control plane 622 and the SDN edge node 621.

The infrastructure switches 612 also communicate with the router 613 in some embodiments. For instance, a core switch of the infrastructure switches 612 in some embodiments communicates directly with the router 613 for an MWN switch, rack switch, and access switch to communicate with the router 613. The router 613 connects to the edge appliance 615 to connect to the orchestration service 624. This connection provides a way for implementing multiple SD-WANs using the SDEN control plane 616 in the branch site 610 and the SDEN management plane 628 in the cloud 620. Further information regarding this connection will be described below. The edge appliance 615 is in some embodiments one part of an edge node (e.g., edge nodes 330-334) along with CE routers and/or broadband routers that use routing records to forward data messages to the cloud 520.

In some embodiments, the edge appliance 615 also connects to the SDN edge node 621 using a secure connection (e.g., a tunnel). While the edge appliance 615 is shown in this figure as connecting to components in a cloud site 620, in other embodiments, the edge appliance 615 connects to other edge nodes (e.g., edge appliances, T0 routers, etc.) in other branch sites, hub nodes in datacenter sites, and cloud gateways in other cloud sites.

In some embodiments, the router 613 connects to a T0 router 614 for implementing multiple logical networks. For instance, once the SDEN control plane 616 uses the MDM server 627 to identify which group to associate a particular endpoint 611. Using this information, the SDEN control plane 616 notifies the SDEN management plane 628 that the particular endpoint 611 needs logical network access to the cloud 620, so the SDEN management plane 628 relays this to the SDN management plane 623.

The SDN management plane 623 uses the SDN control plane 622 and the SDN edge node 621 to create a logical network connection (e.g., a secure channel, a tunnel (such as a Geneve tunnel)) between the SDN edge node 621 and the T0 router 614 at the branch site 610. In such embodiments, the branch site 610 communicates with the cloud 620 using this connection instead of communicating between the edge appliance 615 and the orchestration service 624. Although the T0 router 614 is illustrated here as communicating via a tunnel with an SDN edge node 621 in a cloud site 620, the T0 router 614 in other embodiments connect to other T0 routers or edge nodes in other branch sites, to bun nodes in datacenter sites, and to cloud gateways in cloud sites. These connections are in some embodiments established using tunnels (like the connection between the T0 router 614 and the SDN edge node 621) between the T0 router 614 and the other edge nodes, hub nodes, and cloud gateways in the other sites.

In some embodiments, the SDEN management plane 628 and the SDN management plane 623 are implemented as a single management plane in the cloud 620. Further information regarding this connection will be described below.

As described above, endpoints 611 of a branch site 610 can connect to an entity's shared network fabric using components residing in a cloud 620. In some embodiments, wired endpoints and wireless endpoints connect differently. Both scenarios will be further described below using specific examples. One of ordinary skill would understand that the flow of components described below is only an example way for the components to interact. Other permutations may be performed. FIG. 7 illustrates the communication between a wired endpoint 720, a layer 3 (L3) switch 730, an SDEN controller cluster 740, an SDEN management plane 750, and an MDM server set 760 for connecting the wired endpoint 720 residing in a branch site to a shared network fabric.

At 701, the wired endpoint 720 sends an Extensible Authentication Protocol (EAPOL) start request to the L3 switch 730. In some embodiments, the L3 switch 730 is a core switch of the branch site that the endpoint 720 accesses through an access switch (e.g., a managed wired network switch). The EAPOL start request is sent by the wired endpoint 720 when it wants to request access to the shared network fabric but does not know the MAC address of the authenticator (i.e., the SDEN controller cluster 740 in this example). After receiving the EAPOL start request, at 702, the L3 switch 730 provides an access request for the endpoint 720 to the SDEN controller cluster 740. In some embodiments, the SDEN controller cluster 740 is a set of one or more controllers operating as the SDEN control plane at the same branch site as the wired endpoint 720. The access request in some embodiments includes a set of attributes related to the wired endpoint 720 and/or the user using the endpoint. For instance, the set of attributes can include a MAC address of the endpoint 720 and a set of credentials (e.g., a username and password) for the user.

After receiving the access request, at 703, the SDEN controller cluster 740 sends a network policy request to the SDEN management plane 750. The SDEN management plane 750 of some embodiments resides in a cloud of the shared network fabric (such as the SDEN management plane 628 of FIG. 6). The policy request in some embodiments requests a policy related to the virtual network to which the wired endpoint 720 belongs. In some embodiments, the SDEN controller cluster 740 includes the MAC address of the wired endpoint 720 in the policy request.

At 704, the SDEN management plane 750 sends an identity request to the MDM server set 760. The MDM server set 760 resides in the cloud along with the SDEN management plane 750. In some embodiments, the identity request includes the MAC address of the wired endpoint 720 for the MDM server set 760 to determine which group the endpoint belongs. In other embodiments, the identity request includes the user's credentials for the MDM server set 760 to determine which group the user belongs. Still, in other embodiments, the identity request includes both the endpoint's MAC address and the user's credentials for the MDM server set 760 to determine which group the user and the endpoint belong.

At 705, the MDM server set 760 provides an identity response to the SDEN management plane 750. In some embodiments, the identity response includes a group ID specifying the user and/or endpoint's group. After receiving the identity response, at 706, the SDEN management plane 750 uses the group ID to determine the network policy for the wired endpoint 720, and provides the network policy to the SDEN controller 740.

Using the received network policy, at 707, the SDEN controller cluster 740 updates the network policy. For example, the SDEN controller cluster 740 of some embodiments, updates a mapping between the endpoint's MAC address and an SD-WAN tenant ID associated with the received group ID. The SDEN controller cluster 740 of some embodiments also updates an access control list (ACL) and/or a Quality-of-Service (QOS) associated with the network policy.

At 708, the SDEN controller cluster 740 sends an access accept message to the L3 switch 730 to notify that the endpoint's access request has been accepted. In some embodiments, the SDEN controller cluster 740 also provides an ACL and/or QoS update to the L3 switch 730. Lastly, at 709, the L3 switch 730 sends an EAPOL success message to the wired endpoint 720. After this message has been sent, the wired endpoint 720 is able to connect to the shared network fabric using the correct virtual network with which it is associated.

In some embodiments, wireless endpoints connect to the shared network fabric differently than wired endpoints. FIG. 8 illustrates the communication between a wireless endpoint 820, an L3 switch 830, an SDEN controller cluster 840, an authentication server 850, an SDEN management plane 860, and an MDM server set 870 for connecting the wireless endpoint 820 residing in a branch site to a shared network fabric.

At 801, the wireless endpoint 820 sends an EAPOL start request to the L3 switch 830. In some embodiments, the L3 switch 830 is a core switch of the branch site that the endpoint 820 accesses through a WAP and a managed wireless network switch. The EAPOL start request is sent by the wireless endpoint 820 when it wants to request access to the shared network fabric but does not know the MAC address of the authenticator (i.e., the authentication server 850 in this example). After receiving the EAPOL start request, at 802, the L3 switch 830 provides an access request for the endpoint 820 to the SDEN controller cluster 840. In some embodiments, the SDEN controller cluster 840 is a set of one or more controllers operating as the SDEN control plane at the same branch site as the wireless endpoint 820. The access request in some embodiments includes a set of attributes related to the wireless endpoint 820 and/or the user using the endpoint. For instance, the set of attributes can include a MAC address of the endpoint 820 and a set of credentials (e.g., a username and password) for the user.

At 803, the SDEN controller cluster 840 sends an access request to the authentication server 850. In some embodiments, the authentication server 850 resides in a cloud site of the shared network fabric (such as the authentication server 625 of FIG. 6). In other embodiments, it resides in the same branch site as the wireless endpoint 820 and the SDEN controller cluster 840. The access request of some embodiments includes the user's set of credentials for the authentication server 850 to authenticate. In other embodiments, it also includes the endpoint's MAC address because the authentication server 850 has to authenticate not only the user but the endpoint 820 used by the user as well. Once the authentication server 850 has authenticated the user/endpoint, at 804, it sends an access accept message to the SDEN controller cluster 840.

After receiving the access accept message, at 805, the SDEN controller cluster 840 sends a network policy request to the SDEN management plane 860. The SDEN management plane 860 of some embodiments resides in a cloud along with the authentication server 850 (such as the SDEN management plane 628 of FIG. 6). The policy request in some embodiments requests a policy related to the virtual network to which the wireless endpoint 820 belongs. In some embodiments, the SDEN controller cluster 840 includes the MAC address of the wireless endpoint 820 in the policy request.

At 806, the SDEN management plane 860 sends an identity request to the MDM server set 870. The MDM server set 870 resides in the cloud along with the SDEN management plane 860 and the authentication server 850. In some embodiments, the identity request includes the MAC address of the wireless endpoint 820 for the MDM server set 870 to determine which group the endpoint belongs. In other embodiments, the identity request includes the user's credentials for the MDM server set 870 to determine which group the user belongs. Still, in other embodiments, the identity request includes both the endpoint's MAC address and the user's credentials for the MDM server set 870 to determine which group the user and the endpoint belong.

At 807, the MDM server set 870 provides an identity response to the SDEN management plane 860. In some embodiments, the identity response includes a group ID specifying the user and/or endpoint's group. After receiving the identity response, at 808, the SDEN management plane 860 uses the group ID to determine the network policy for the wireless endpoint 820, and provides the network policy to the SDEN controller cluster 840.

Using the received network policy, at 809, the SDEN controller cluster 840 updates the network policy. For example, the SDEN controller cluster 840 of some embodiments, updates a mapping between the endpoint's MAC address and an SD-WAN tenant ID associated with the received group ID. The SDEN controller cluster 840 of some embodiments also updates an ACL and/or a QoS associated with the network policy.

At 810, the SDEN controller cluster 840 sends an access accept message to the L3 switch 830 to notify that the endpoint's access request has been accepted. In some embodiments, the SDEN controller cluster 840 also provides an ACL and/or QoS update to the L3 switch 830. Lastly, at 811, the L3 switch 830 sends an EAPOL success message to the wireless endpoint 820. After this message has been sent, the wireless endpoint 820 is able to connect to the shared network fabric using the correct virtual network with which it is associated.

In some embodiments, a simpler branch site or a home office of the shared network fabric does not include many of the same components as a larger branch site (such as the branch site 500 of FIG. 5). FIG. 9 illustrates a physical topology of an example remote site 900. In some embodiments, the remote site 900 is a branch site of an entity. In other embodiments, it is a home office used by one or more users of the entity.

In this example, the remote site 900 communicates with one or more datacenter sites and one or more cloud sites 902 through a broadband router 910. In some embodiments, the broadband router 910 is a standalone physical router or customer premises equipment (CPE) to connect to other resources in other sites or the Internet 904. In other embodiments, it is a software router executing on a host computer in the remote site 900. The remote site 900 also communicates with the Internet 904. In some embodiments, one or more cloud sites 902 include one or more MDM servers (not shown) for use by the remote site 900.

The broadband router 910 of some embodiments connects directly to non-entity devices 920 residing in the remote site 900. Non-entity devices 920 in some embodiments include wired and/or wireless personal devices of the user (i.e., not authorized for use of the datacenter sites and clouds 902 by the user) or devices of non-users at the remote site 900 (e.g., guests or family members of the user). The broadband router 910 connects to an SD-WAN edge appliance 930 in the remote site 900. In some embodiments, the SD-WAN edge appliance 930 operates as a standalone computer. In other embodiments, it runs as a software edge node on a host computer in the remote site 900.

In some embodiments, the SD-WAN edge appliance 930 includes a router that performs the data message forwarding operations of the SD-WAN edge appliance. In such embodiments, the next-hop forwarding records of the SD-WAN edge appliance 930 are routing records used by the router to forward data messages to the datacenter sites and clouds 902.

In some embodiments, the SD-WAN edge appliance 930 includes two or more edge devices, with each edge device connected to the datacenter sites and clouds 902 through different communication service providers (e.g., an MPLS device, a cable modem router, a 5G router, etc.). In some of these embodiments, the edge devices of the SD-WAN edge appliance 930 connect to each other using a physical cable link.

The SD-WAN edge appliance 930 connects to entity devices 940 residing in the remote site 900. Entity devices 940 in some embodiments include wired and/or wireless devices that are authorized to access the datacenter sites and cloud sites 902 of the entity. For example, work-designated devices of an employee of a corporation are entity devices.

The entity devices 940 are in some embodiments part of one or more SD-WANs established for the remote office's entity. For instance, a first entity device is in some embodiments part of a first SD-WAN, while a second entity device is part of a second SD-WAN. While both devices reside in the same physical location (i.e., the same remote site 900), they may be in different virtual networks based on the identity of the user using that device. In some embodiments, non-entity devices 920 are also part of one or more SD-WANs established for the remote office's entity. For example, the entity of some embodiments includes one or more SD-WANs for devices not belonging to the entity in order to isolate entity traffic from non-entity traffic.

FIG. 10 illustrates a logical topology for implementing a remote site in some embodiments. In this example, a remote site 1010 includes a set of one or more endpoints 1011, an SD-WAN edge appliance 1012, a T0 router 1013, and an SDEN control plane 1014. A cloud 1020 includes an SDN edge node 1021, an SDN control plane 1022, an SDN management plane 1023, an orchestration service 1024, an authentication server 1025, a data store 1026, an MDM server 1027, and an SDEN management plane 1028.

In the remote site 1010, the endpoints 1011 include one or more of wired devices and wireless devices used by users in the remote site 1010. The endpoints 1011 connect to the edge appliance 1012. In some embodiments, the endpoints 1011 are placed in an SD-WAN based on the endpoint's MAC address and/or the user's group identity (e.g., the user's responsibility and role within the corporation). User group identities are maintained by the MDM server 1027 in the cloud 1020.

The edge appliance 1012 communicates with the SDEN control plane 1014, which includes a cluster of one or more SDEN controllers for dynamically associating the endpoints 1011 with different SD-WANs implemented for different user groups. In some embodiments, the SDEN control plane 1014 allows for communications between the MDM server 1027 and the SDN components 1021-1023. The SDEN control plane 1014 communicates with the authentication server 1025 in the cloud 1020 to authenticate a user of one or more endpoints 1011. The SDEN control plane 1014 and authentication server 1025 in some embodiments operate similarly to the SDEN servers 175 and authentication server 180 of FIG. 1, respectively.

The authentication server 1025 uses user identity information stored in the data store 1026 to authenticate a user. In some embodiments, the data store 1026 is a directory server (e.g., an AD offered by Microsoft® Corporation) that stores directory service information, such as user and device information. The data store 1026 is in some embodiments a centralized and hierarchical database. The authentication server 1025 of some embodiments uses a protocol (e.g., (LDAP) to access the data store 1026.

The SDEN control plane 1014 is managed by the SDEN management plane 1028 residing in the cloud 1020. In some embodiments, the SDEN management plane 1028 includes a cluster of one or more management servers that manage the SDEN control plane 1014 based on configuration data received from a network administrator. In some embodiments, the SDEN management plane 1028 also manages the data store 1026 and the MDM server 1027. In the cloud 1020, the SDN management plane 1023 manages the SDN control plane 1022 and the SDN edge node 1021.

The edge appliance 1012 also connects to the orchestration service 1024. This connection provides a way for implementing multiple SD-WANs using the SDEN control plane 1014 in the remote site 1010 and the SDEN management plane 1028 in the cloud 1020. Further information regarding this connection will be described below.

In some embodiments, the edge appliance 1012 includes a router that performs the data message forwarding operations of the edge appliance. In such embodiments, the next-hop forwarding records of the edge appliance 1012 are routing records used by the router to forward data messages to the cloud 1020.

In some embodiments, the edge appliance 1012 includes two or more edge devices, with each edge device connected to the cloud 1020 through different communication service providers (e.g., an MPLS device, a cable modem router, a 5G router, etc.). In some of these embodiments, the edge devices of the edge appliance 1012 connect to each other using a physical cable link.

In some embodiments, the edge appliance 1012 connects to a T0 router 1013 for implementing multiple logical networks. For instance, once the SDEN control plane 1014 uses the MDM server 1027 to identify which group to associate a particular endpoint 1011. Using this information, the SDEN control plane 1014 notifies the SDEN management plane 1028 that the particular endpoint 1011 needs logical network access to the cloud 1020, so the SDEN management plane 1028 relays this to the SDN management plane 1023.

The SDN management plane 1023 uses the SDN control plane 1022 and the SDN edge node 1021 to create a logical network connection (e.g., a secure channel, a tunnel (such as a Geneve tunnel)) between the SDN edge node 1021 and the T0 router 1013 at the remote site 1010. In such embodiments, the remote site 1010 communicates with the cloud using this connection instead of communicating between the edge appliance 1012 and the orchestration service 1024. In some of these embodiments, the SDEN management plane 1028 and the SDN management plane 1023 are implemented as a single management plane in the cloud 1020. Further information regarding this connection will be described below.

As described above, endpoints 1011 of a remote site 1010 can connect to an entity's shared network fabric using components residing in a cloud 1020. In some embodiments, wired endpoints and wireless endpoints of a remote site connect differently. Both scenarios will be further described below using specific examples. One of ordinary skill would understand that the flow of components described below is only an example way for the components to interact. Other permutations may be performed. FIG. 11 illustrates the communication between a wired endpoint 1120, an SD-WAN edge appliance 1130, an SDEN controller cluster 1140, an SDEN management plane 1150, an MDM server set 1160, and an SD-WAN orchestrator 1170 for connecting the wired endpoint 1120 residing in a remote site (e.g., a home office) to a shared network fabric.

At 1101, the wired endpoint 1120 sends an EAPOL start request to the SD-WAN edge appliance 1130. The EAPOL start request is sent by the wired endpoint 1120 when it wants to request access to the shared network fabric but does not know the MAC address of the authenticator (i.e., the SDEN controller cluster 1140 in this example). After receiving the EAPOL start request, at 1102, the SD-WAN edge appliance 1130 provides an access request for the endpoint 1120 to the SDEN controller cluster 1140. In some embodiments, the SDEN controller cluster 1140 is a set of one or more controllers operating as the SDEN control plane at the same branch site as the wired endpoint 1120. The access request in some embodiments includes a set of attributes related to the wired endpoint 1120 and/or the user using the endpoint. For instance, the set of attributes can include a MAC address of the endpoint 1120 and a set of credentials (e.g., a username and password) for the user.

After receiving the access request, at 1103, the SDEN controller cluster 1140 sends a network policy request to the SDEN management plane 1150. The SDEN management plane 1150 of some embodiments resides in a cloud of the shared network fabric (such as the SDEN management plane 1028 of FIG. 10). The policy request in some embodiments requests a policy related to the virtual network to which the wired endpoint 1120 belongs. In some embodiments, the SDEN controller cluster 1140 includes the MAC address of the wired endpoint 1120 in the policy request.

At 1104, the SDEN management plane 1150 sends an identity request to the MDM server set 1160. The MDM server set 1160 resides in the cloud along with the SDEN management plane 1150. In some embodiments, the identity request includes the MAC address of the wired endpoint 1120 for the MDM server set 1160 to determine which group the endpoint belongs. In other embodiments, the identity request includes the user's credentials for the MDM server set 1160 to determine which group the user belongs. Still, in other embodiments, the identity request includes both the endpoint's MAC address and the user's credentials for the MDM server set 1160 to determine which group the user and the endpoint belong.

At 1105, the MDM server set 1160 provides an identity response to the SDEN management plane 1150. In some embodiments, the identity response includes a group ID specifying the user and/or endpoint's group. After receiving the identity response, at 1106, the SDEN management plane 1150 provides the policy request to the SD-WAN orchestrator 1170. The SD-WAN orchestrator 1170 of some embodiments resides in a cloud of the shared network fabric along with the SDEN management plane 1150. In some embodiments, the policy request sent at 1106 includes the group ID determined by the MDM server set 1160. At 1107, the SD-WAN orchestrator 1170 determines the network policy for the endpoint 1120 and provides a policy response to the SDEN management plane 1150 and the SD-WAN edge appliance 1130.

At 1108, the SDEN management plane 1150 provides the policy response to the SDEN controller cluster 1140. Using the received network policy, at 1109, the SDEN controller cluster 1140 updates the network policy. For example, the SDEN controller cluster 1140 of some embodiments, updates a mapping between the endpoint's MAC address and an SD-WAN tenant ID associated with the received group ID. The SDEN controller cluster 1140 of some embodiments also updates an ACL and/or a QoS associated with the network policy.

At 1110, the SDEN controller cluster 1140 sends an access accept message to the SD-WAN edge appliance 1130 to notify that the endpoint's access request has been accepted. In some embodiments, the SDEN controller cluster 1140 also provides an ACL and/or QoS update to the SD-WAN edge appliance 1130. Lastly, at 1111, the SD-WAN edge appliance 1130 sends an EAPOL success message to the wired endpoint 1120. After this message has been sent, the wired endpoint 1120 is able to connect to the shared network fabric using the correct virtual network with which it is associated.

In some embodiments, wireless endpoints of a remote site connect to the shared network fabric differently than wired endpoints. FIG. 12 illustrates the communication between a wireless endpoint 1220, an SD-WAN edge appliance 1230, an SDEN controller cluster 1240, an authentication server 1250, an SDEN management plane 1260, an MDM server set 1270, and an SD-WAN orchestrator 1280 for connecting the wireless endpoint 1220 residing in a remote site to a shared network fabric.

At 1201, the wireless endpoint 1220 sends an EAPOL start request to the SD-WAN edge appliance 1230. The EAPOL start request is sent by the wireless endpoint 1220 when it wants to request access to the shared network fabric but does not know the MAC address of the authenticator (i.e., the authentication server 1250 in this example). After receiving the EAPOL start request, at 1202, the SD-WAN edge appliance 1230 provides an access request for the endpoint 1220 to the SDEN controller cluster 1240. In some embodiments, the SDEN controller cluster 1240 is a set of one or more controllers operating as the SDEN control plane at the same remote site as the wireless endpoint 1220. The access request in some embodiments includes a set of attributes related to the wireless endpoint 1220 and/or the user using the endpoint. For instance, the set of attributes can include a MAC address of the endpoint 1220 and a set of credentials (e.g., a username and password) for the user.

At 1203, the SDEN controller cluster 1240 sends an access request to the authentication server 1250. In some embodiments, the authentication server 1250 resides in a cloud site of the shared network fabric (such as the authentication server 1025 of FIG. 10). In other embodiments, it resides in the same remote site as the wireless endpoint 1220 and the SDEN controller cluster 1240. The access request of some embodiments includes the user's set of credentials for the authentication server 1250 to authenticate. In other embodiments, it also includes the endpoint's MAC address because the authentication server 1250 has to authenticate not only the user but the endpoint 1220 used by the user as well. Once the authentication server 1250 has authenticated the user/endpoint, at 1204, it sends an access accept message to the SDEN controller cluster 1240.

After receiving the access accept message, at 1205, the SDEN controller cluster 1240 sends a network policy request to the SDEN management plane 1260. The SDEN management plane 1260 of some embodiments resides in a cloud along with the authentication server 1250 (such as the SDEN management plane 1028 of FIG. 10). The policy request in some embodiments requests a policy related to the virtual network to which the wireless endpoint 1220 belongs. In some embodiments, the SDEN controller cluster 1240 includes the MAC address of the wireless endpoint 1220 in the policy request.

At 1206, the SDEN management plane 1260 sends an identity request to the MDM server set 1270. The MDM server set 1270 resides in the cloud along with the SDEN management plane 1260 and the authentication server 1250. In some embodiments, the identity request includes the MAC address of the wireless endpoint 1220 for the MDM server set 1270 to determine which group the endpoint belongs. In other embodiments, the identity request includes the user's credentials for the MDM server set 1270 to determine which group the user belongs. Still, in other embodiments, the identity request includes both the endpoint's MAC address and the user's credentials for the MDM server set 1270 to determine which group the user and the endpoint 1220 belong.

At 1207, the MDM server set 1270 provides an identity response to the SDEN management plane 1260. In some embodiments, the identity response includes a group ID specifying the user and/or endpoint's group. After receiving the identity response, at 1208, the SDEN management plane 1260 provides the policy request to the SD-WAN orchestrator 1280. The SD-WAN orchestrator 1280 of some embodiments resides in a cloud of the shared network fabric along with the SDEN management plane 1260. In some embodiments, the policy request sent at 1208 includes the group ID determined by the MDM server set 1270. At 1209, the SD-WAN orchestrator 1280 determines the network policy for the endpoint 1220 and provides a policy response to the SDEN management plane 1260 and the SD-WAN edge appliance 1230.

At 1210, the SDEN management plane 1260 provides the policy response to the SDEN controller cluster 1240. Using the received network policy, at 1211, the SDEN controller cluster 1240 updates the network policy. For example, the SDEN controller cluster 1240 of some embodiments, updates a mapping between the endpoint's MAC address and an SD-WAN tenant ID associated with the received group ID. The SDEN controller cluster 1240 of some embodiments also updates an ACL and/or a QoS associated with the network policy.

At 1212, the SDEN controller cluster 1240 sends an access accept message to the SD-WAN edge appliance 1230 to notify that the endpoint's access request has been accepted. In some embodiments, the SDEN controller cluster 1240 also provides an ACL and/or QoS update to the SD-WAN edge appliance 1230. Lastly, at 1213, the SD-WAN edge appliance 1230 sends an EAPOL success message to the wireless endpoint 1220. After this message has been sent, the wireless endpoint 1220 is able to connect to the shared network fabric using the correct virtual network with which it is associated.

As discussed previously, a site (e.g., a branch site, a remote site, etc.) of some embodiments, that implements multiple SD-WANs, connects to a cloud site using an edge appliance and an orchestration service facilitated by an SDN management plane in the cloud and an SDN control plane at the site. FIG. 13 conceptually illustrates a process 1300 of some embodiments for dynamically associating mobile devices with different SD-WANs on a shared network fabric of an entity. This process 1300 is performed in some embodiments by a set of SDEN servers implementing an SDEN control plane at a first site of the entity connected to a second site of the entity through the SD-WANs. The process 1300 is performed in some embodiments when the second site includes an orchestration service (e.g., a VeloCloud® orchestration service) to connect to the first site.

In some embodiments, at least two different SD-WANs are implemented for at least two different groups of the entity. These groups are in some embodiments different user groups of the entity. These groups in other embodiments are different device groups of the entity. The groups in other embodiments are a combination of user and device groups of the entity. The process 1300 will be described in relation to the components of FIG. 6, however one of ordinary skill will realize that different configurations of branch sites and cloud sites may be used.

The process 1300 begins by identifying (at 1305) a particular mobile device that needs to connect to an SD-WAN of the shared network fabric. In some embodiments, the SDEN control plane 616 receives, through the set of infrastructure switches 612 (e.g., through an MWN switch), a request from the particular mobile device (i.e., an endpoint 611) to connect to the entity's shared network fabric. This request includes at least one of a MAC address of the mobile device and a set of user credentials (e.g., a username and password) for the user of the mobile device.

Next, the process 1300 authenticates (at 1310) the particular mobile device. In some embodiments, the SDEN control plane 616 uses the authentication server 625 in the cloud 620 to authenticate the mobile device. In other embodiments, the SDEN control plane 616 uses a different authentication server operating in the branch site 610. The mobile device is authenticated in some embodiments based on its MAC address. For instance, the authentication server 625 can use the data store 626 to retrieve a policy associated with the MAC address to determine whether the device itself is allowed to access the shared network fabric.

In other embodiments, the authentication server 625 uses the user's authentication credentials to determine (e.g., based on a policy stored in the data store 626) whether the user is allowed to access the shared network fabric. Still, in other embodiments, the authentication server 625 uses both the MAC address and the user's authentication credentials to authenticate the mobile device. In some embodiments, authentication of the mobile device is not necessary, and the step 1310 is not performed.

At 1315, the process 1300 uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. Using the MDM server set 627, the SDEN control plane 616 of some embodiments determines to which device group the mobile device belongs. In such embodiments, the SDEN control plane 616 provides the device's MAC address to the MDM server set 627 to determine the device group. A device group is in some embodiments defined based on the device type, such as a first group for laptops, a second group for smartphones, a third group for tablets, etc.

In other embodiments, the SDEN control plane 616 determines to which user group the user of the mobile device belongs. In such embodiments, the SDEN control plane 616 provides the user's credentials to the MDM server set 627 to determine the user group. The SDEN control plane 616 also provides the device's MAC address along with the user's credentials to identify the user group. In some embodiments, a user group is a group of members of the entity that share a set of characteristics. The set of characteristics in some embodiments include at least one of a shared responsibility for the entity, a shared role within the entity, and a shared subgroup of the entity.

After identifying the MDM group, the process 1300 uses (at 1320) the identified MDM group to identify a particular LAN at the first site for the particular mobile device to connect to network resources of the first site that are connected to the particular LAN. In some embodiments, the particular LAN includes the infrastructure switch set 612, the router 613, and the edge appliance 615 of the branch site 610. Using these components, the mobile device is able to connect to network resources within the branch site 610. In some embodiments, the network resources include one or more of servers (e.g., VMs, containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

Lastly, the process 1300 uses (at 1325) the identified MDM group to identify a particular SD-WAN for the particular mobile device to use to connect to the second site to have access to a set of one or more network resources at the second site. In some embodiments, the SDEN control plane 616 uses the SDEN management plane 628 to connect the edge appliance 615 in the branch site 610 to the orchestration server 624 in the cloud 620 in order to connect the two sites. In such embodiments, the SDEN control plane 616 notifies the SDEN management plane 628 that the mobile device needs an SD-WAN connection to connect to the cloud 620, and the SDEN management plane 628 directs the orchestration service 624 to connect to the edge appliance 615. The particular LAN is in some embodiments a first logical network of several logical networks implemented at the branch site for several different groups of mobile devices. These logical networks are implemented in some embodiments to isolate data message flows between the different groups. After identifying the particular SD-WAN to connect the particular mobile device to the second site, the process 1300 ends.

In some embodiments, a first site (e.g., a branch site, a remote site, etc.), that implements multiple logical networks, connects to a second site using a connection between a TO router and an SDN edge node facilitated by an SDN management plane in the second site and an SDN control plane at the first site. FIG. 14 conceptually illustrates a process 1400 of some embodiments for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity. This process 1400 is performed in some embodiments by a set of SDEN servers implementing an SDEN control plane at a first site of the entity connected to a second site of the entity through the logical networks. In some embodiments, the first site is a branch site and the second site is a cloud site. In other embodiments, the first and second sites are both branch sites. Still, in other embodiments, the first site is a branch site and the second site is a datacenter site.

In some embodiments, at least two different logical networks are implemented for at least two different groups of the entity. These groups are in some embodiments different user groups of the entity. These groups in other embodiments are different device groups of the entity. The groups in other embodiments are a combination of user and device groups of the entity. The process 1400 will be described in relation to the components of FIG. 6, however one of ordinary skill will realize that different configurations of branch sites and cloud sites may be used.

The process 1400 begins by identifying (at 1405) a particular mobile device that needs to connect to a logical network of the shared network fabric of an entity. In some embodiments, the SDEN control plane 616 receives, through the set of infrastructure switches 612 (e.g., through an MWN switch), a request from the particular mobile device (i.e., an endpoint 611) to connect to the entity's shared network fabric. This request includes at least one of a MAC address of the mobile device and a set of user credentials (e.g., a username and password) for the user of the mobile device.

Next, the process 1400 authenticates (at 1410) the particular mobile device. In some embodiments, the SDEN control plane 616 uses the authentication server 625 in the cloud 620 to authenticate the mobile device. In other embodiments, the SDEN control plane 616 uses a different authentication server operating in the branch site 610. The mobile device is authenticated in some embodiments based on its MAC address. For instance, the authentication server 625 can use the data store 626 to retrieve a policy associated with the MAC address to determine whether the device itself is allowed to access the shared network fabric.

In other embodiments, the authentication server 625 uses the user's authentication credentials to determine (e.g., based on a policy stored in the data store 626) whether the user is allowed to access the shared network fabric. Still, in other embodiments, the authentication server 625 uses both the MAC address and the user's authentication credentials to authenticate the mobile device. In some embodiments, authentication of the mobile device is not necessary, and the step 1410 is not performed.

At 1415, the process 1400 uses a set of one or more MDM servers to identify an MDM group with which the particular mobile device is associated. Using the MDM server set 627, the SDEN control plane 616 of some embodiments determines to which device group the mobile device belongs. In such embodiments, the SDEN control plane 616 provides the device's MAC address to the MDM server set 627 to determine the device group. A device group is in some embodiments defined based on the device type, such as a first group for laptops, a second group for smartphones, a third group for tablets, etc.

In other embodiments, the SDEN control plane 616 determines to which user group the user of the mobile device belongs. In such embodiments, the SDEN control plane 616 provides the user's credentials to the MDM server set 627 to determine the user group. The SDEN control plane 616 also provides the device's MAC address along with the user's credentials to identify the user group. In some embodiments, a user group is a group of members of the entity that share a set of characteristics. The set of characteristics in some embodiments include at least one of a shared responsibility for the entity, a shared role within the entity, and a shared subgroup of the entity.

After identifying the MDM group, the process 1400 uses (at 1420) the identified MDM group to identify a first LNI associated with a first logical network that is defined over a shared network fabric at the first site for the particular mobile device to connect to network resources of the first site that are connected to the first logical network. In some embodiments, in identifying the MDM group, the SDEN control plane 616 receives from the MDM server set 627 an MDM group ID for the MDM group. In such embodiments, the SDEN control plane 616 uses the MDM group ID to identify the first LNI for the first logical network associated with that group.

In some embodiments, the identified first logical network includes the infrastructure switch set 612, router 613, and T0 router 614. Using these components, the mobile device is able to connect to network resources (e.g., using a secure connection or a tunnel) within the branch site 610. In some embodiments, the network resources include one or more of servers (e.g., VMs, containers, Pods, etc.), applications, middlebox services (e.g., firewall services, network address translation services, load balancing services, etc.), and forwarding elements (e.g., routers, switches, etc.).

At 1425, the process 1400 uses the identified MDM group to identify a second LNI associated with a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site of the entity. The second logical network identified by the second LNI in some embodiments (1) spans the first and second sites and (2) connects the mobile device at the first site to the set of network resources at the second site. In some embodiments, the first LNI is the same as the second LNI, as the first and second logical networks are one network. In other embodiments, the first LNI is different than the second LNI, as the first and second logical networks are two different logical networks with the first logical network being a logical LAN and the second logical network being a logical WAN. The logical LAN spans only the first site (i.e., the branch site 610), while the logical WAN spans at least the first and second sites (i.e., the branch site 610 and the cloud site 620).

This step 105 is in some embodiments facilitated by the SDEN control plane 616 using the SDEN management plane 628 and the SDN management plane 623. For example, the SDEN control plane 616 of some embodiments notifies the SDEN management plane 628 of the second logical network needed to connect the branch site 610 to the cloud site 620. The SDEN management plane 628 notifies the SDN management plane 623 that the mobile device needs logical network access to the cloud 620.

The SDN management plane 623 uses the SDN control plane 622 and the SDN edge node 621 to create the second logical network between the SDN edge node 621 and the TO router 614 at the branch site 610. In some of these embodiments, the SDEN management plane 628 and the SDN management plane 623 are implemented as a single management plane in the cloud 620. In some embodiments, the second logical network connects the particular mobile device to a set of one or more network resources at the cloud site. Such network resources in some embodiments include servers, applications, middlebox services, and forwarding elements in the cloud 620. Because data message flows associated with the mobile device are routed between the T0 router 614 and the SDN edge node 621, the mobile device can be seen as in the same overlay network as the network resources in the cloud 620.

Lastly, the process 1400 inserts (at 1430) the second LNI in an encapsulation header that encapsulates data messages sent from the particular mobile device to a set of one or more network resources at the second site. In some embodiments, the encapsulation header is a tunnel header used to send the data messages from the first edge gateway (i.e., the T0 router 614) to the second edge gateway (i.e., the SDN edge node 621) through a tunnel established between the first and second edge gateways. This tunnel connects the first and second sites so that the mobile device is able to access the set of network resources at the second site. Because the data messages sent from the mobile device are sent using a secure connection (i.e., a tunnel), the mobile device can be seen as in the same overlay network as the set of network resources in the second site.

In some embodiments, the second LNI is inserted into the encapsulating header by the T0 router 614 operating at the branch site 610 to forward the encapsulated data messages to the SDN edge node 621 at the cloud site 620. In some embodiments, this encapsulation header is a first tunnel header and the data messages sent to the second site are a first set of data messages. In such embodiments, the process 1400 also inserts the first LNI in a second encapsulation header that encapsulates a second set of data messages sent from the mobile device to the network resources of the first site. The second encapsulation header is also a tunnel header used to send the second set of data messages through a tunnel or a secure connection in some embodiments. After inserting the second LNI to send data messages from the mobile device to the network resources at the second site, the process 1400 ends.

Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.

In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.

FIG. 15 conceptually illustrates a computer system 1500 with which some embodiments of the invention are implemented. The computer system 1500 can be used to implement any of the above-described computers and servers. As such, it can be used to execute any of the above described processes. This computer system includes various types of non-transitory machine readable media and interfaces for various other types of machine readable media. Computer system 1500 includes a bus 1505, processing unit(s) 1510, a system memory 1525, a read-only memory 1530, a permanent storage device 1535, input devices 1540, and output devices 1545.

The bus 1505 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 1500. For instance, the bus 1505 communicatively connects the processing unit(s) 1510 with the read-only memory 1530, the system memory 1525, and the permanent storage device 1535.

From these various memory units, the processing unit(s) 1510 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 1530 stores static data and instructions that are needed by the processing unit(s) 1510 and other modules of the computer system. The permanent storage device 1535, on the other hand, is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 1500 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 1535.

Other embodiments use a removable storage device (such as a flash drive, etc.) as the permanent storage device. Like the permanent storage device 1535, the system memory 1525 is a read-and-write memory device. However, unlike storage device 1535, the system memory is a volatile read-and-write memory, such a random access memory. The system memory stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 1525, the permanent storage device 1535, and/or the read-only memory 1530. From these various memory units, the processing unit(s) 1510 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.

The bus 1505 also connects to the input and output devices 1540 and 1545. The input devices enable the user to communicate information and select commands to the computer system. The input devices 1540 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 1545 display images generated by the computer system. The output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as a touchscreen that function as both input and output devices.

Finally, as shown in FIG. 15, bus 1505 also couples computer system 1500 to a network 1565 through a network adapter (not shown). In this manner, the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network (“WAN”), or an Intranet, or a network of networks, such as the Internet. Any or all components of computer system 1500 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, and any other optical or magnetic media. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.

While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms display or displaying means displaying on an electronic device. As used in this specification, the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.

While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. In addition, a number of the figures (including FIGS. 2, 7, 8, and 11-14) conceptually illustrate processes. The specific operations of these processes may not be performed in the exact order shown and described. The specific operations may not be performed in one continuous series of operations, and different specific operations may be performed in different embodiments. Furthermore, the process could be implemented using several sub-processes, or as part of a larger macro process. Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims.

Claims

1. A method for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity, wherein at least two different logical networks are implemented for at least two different groups of the entity, the method comprising:

at a first site of the entity: authenticating a particular mobile device; using one or more mobile device management (MDM) servers to identify an MDM group with which the particular mobile device is associated, wherein using the one or more MDM servers to identify the MDM group comprises providing a media access control (MAC) address of the particular mobile device to the one or more MDM servers to identify a device group to which the particular mobile device belongs; using the identified MDM group to identify a first logical network that is defined over the shared network fabric at the first site for the particular mobile device to connect to network resources of the first site that are connected to the first logical network; using the identified MDM group to identify a logical network identifier (LNI) associated with a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site of the entity; and inserting the LNI in an encapsulation header that encapsulates data messages sent from the particular mobile device to one or more network resources at the second site.

2. The method of claim 1, wherein the encapsulation header is a tunnel encapsulation header that is used to send the data messages from the first edge gateway to the second edge gateway through a tunnel established between the first and second edge gateways.

3. The method of claim 1, wherein the first logical network has an associated LNI and the first logical network LNI is the same as the second logical network LNI, as the first and second logical networks are one network.

4. The method of claim 1, wherein the first logical network has an associated LNI and the first logical network LNI is different than the second logical network LNI, as the first and second logical networks are two different logical networks with the first logical network being a logical local area network (LAN) and the second logical network being a logical wide area network (WAN).

5. The method of claim 4, wherein the encapsulation header is a first encapsulation header and the data messages are a first set of data messages, the method further comprising inserting the first logical network LNI in a second encapsulation header that encapsulates a second set of data messages sent from the particular mobile device to the network resources of the first site.

6. The method of claim 4, wherein using the one or more MDM servers to identify the MDM group further comprises receiving an MDM group identifier (ID) for the MDM group from the one or more MDM servers.

7. The method of claim 6, wherein:

using the identified MDM group to identify the first logical network comprises determining that the MDM group ID is associated with the first logical network LNI, and
using the identified MDM group to identify the second logical network LNI associated with the second logical network comprises determining that the MDM group ID is associated with the second logical network LNI.

8. The method of claim 1, wherein authenticating the particular mobile device comprises:

receiving a set of authentication credentials from the particular mobile device; and
using the set of authentication credentials to authenticate the particular mobile device.

9. The method of claim 8, wherein the set of authentication credentials comprises a username and password of a user of the particular mobile device.

10. The method of claim 8, wherein authenticating the particular mobile device comprises directing an authentication server operating at the first site to authenticate the particular mobile device.

11. The method of claim 8, wherein authenticating the particular mobile device comprises providing the set of authentication credentials to an authentication server operating at the second site to authenticate the particular mobile device.

12. The method of claim 1, wherein the network resources of the first site and the one or more network resources at the second site each comprise one or more of servers, applications, middlebox services, and forwarding elements.

13. The method of claim 1, wherein the at least two different groups of the entity comprise different user groups of the entity.

14. The method of claim 1, wherein the at least two different groups of the entity comprise different device groups of the entity.

15. The method of claim 1, wherein the device group comprises devices of a same type.

16. The method of claim 15, wherein the same type is one of a laptop, smartphone, or tablet.

17. The method of claim 1, wherein using the one or more MDM servers to identify the MDM group further comprises providing a set of authentication credentials associated with a user of the particular mobile device to the one or more MDM servers to identify a user group to which the user belongs.

18. The method of claim 1, wherein the first site is a branch site of the entity and the second site is a cloud site of the entity.

19. A non-transitory machine readable medium storing a program for execution by at least one processing unit for dynamically associating mobile devices with different logical networks implemented on a shared network fabric of an entity, wherein at least two different logical networks are implemented for at least two different groups of the entity, the program comprising sets of instructions for:

at a first site of the entity: authenticating a particular mobile device; using one or more mobile device management (MDM) servers to identify an MDM group with which the particular mobile device is associated, using the one or more MDM servers to identify the MDM group comprising providing a media access control (MAC) address of the particular mobile device to the one or more MDM servers to identify a device group to which the particular mobile device belongs; using the identified MDM group to identify a first logical network that is defined over the shared network fabric at the first site for the particular mobile device to connect to network resources of the first site that are connected to the first logical network; using the identified MDM group to identify a logical network identifier (LNI) associated with a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site of the entity; and inserting the LNI in an encapsulation header that encapsulates data messages sent from the particular mobile device to one or more network resources at the second site.

20. The non-transitory machine readable medium of claim 19, wherein the encapsulation header is a tunnel encapsulation header that is used to send the data messages from the first edge gateway to the second edge gateway through a tunnel established between the first and second edge gateways.

Referenced Cited
U.S. Patent Documents
5652751 July 29, 1997 Sharony
5909553 June 1, 1999 Campbell et al.
6154465 November 28, 2000 Pickett
6157648 December 5, 2000 Voit et al.
6201810 March 13, 2001 Masuda et al.
6363378 March 26, 2002 Conklin et al.
6445682 September 3, 2002 Weitz
6744775 June 1, 2004 Beshai et al.
6976087 December 13, 2005 Westfall et al.
7003481 February 21, 2006 Banka et al.
7280476 October 9, 2007 Anderson
7313629 December 25, 2007 Nucci et al.
7320017 January 15, 2008 Kurapati et al.
7373660 May 13, 2008 Guichard et al.
7581022 August 25, 2009 Griffin et al.
7680925 March 16, 2010 Sathyanarayana et al.
7681236 March 16, 2010 Tamura et al.
7751409 July 6, 2010 Carolan
7962458 June 14, 2011 Holenstein et al.
8094575 January 10, 2012 Vadlakonda et al.
8094659 January 10, 2012 Arad
8111692 February 7, 2012 Ray
8141156 March 20, 2012 Mao et al.
8224971 July 17, 2012 Miller et al.
8228928 July 24, 2012 Parandekar et al.
8243589 August 14, 2012 Trost et al.
8259566 September 4, 2012 Chen et al.
8274891 September 25, 2012 Averi et al.
8301749 October 30, 2012 Finklestein et al.
8385227 February 26, 2013 Downey
8516129 August 20, 2013 Skene
8566452 October 22, 2013 Goodwin, III et al.
8588066 November 19, 2013 Goel et al.
8630291 January 14, 2014 Shaffer et al.
8661295 February 25, 2014 Khanna et al.
8724456 May 13, 2014 Hong et al.
8724503 May 13, 2014 Johnsson et al.
8745177 June 3, 2014 Kazerani et al.
8797874 August 5, 2014 Yu et al.
8799504 August 5, 2014 Capone et al.
8804745 August 12, 2014 Sinn
8806482 August 12, 2014 Nagargadde et al.
8855071 October 7, 2014 Sankaran et al.
8856339 October 7, 2014 Mestery et al.
8964548 February 24, 2015 Keralapura et al.
8989199 March 24, 2015 Sella et al.
9009217 April 14, 2015 Nagargadde et al.
9015299 April 21, 2015 Shah
9055000 June 9, 2015 Ghosh et al.
9060025 June 16, 2015 Xu
9071607 June 30, 2015 Twitchell, Jr.
9075771 July 7, 2015 Gawali et al.
9100329 August 4, 2015 Jiang et al.
9135037 September 15, 2015 Petrescu-Prahova et al.
9137334 September 15, 2015 Zhou
9154327 October 6, 2015 Marino et al.
9203764 December 1, 2015 Shirazipour et al.
9225591 December 29, 2015 Beheshti-Zavareh et al.
9306949 April 5, 2016 Richard et al.
9323561 April 26, 2016 Ayala et al.
9336040 May 10, 2016 Dong et al.
9354983 May 31, 2016 Yenamandra et al.
9356943 May 31, 2016 Lopilato et al.
9379981 June 28, 2016 Zhou et al.
9413724 August 9, 2016 Xu
9419878 August 16, 2016 Asiao et al.
9432245 August 30, 2016 Sorenson, III et al.
9438566 September 6, 2016 Zhang et al.
9450817 September 20, 2016 Bahadur et al.
9450852 September 20, 2016 Chen et al.
9462010 October 4, 2016 Stevenson
9467478 October 11, 2016 Khan et al.
9485163 November 1, 2016 Fries et al.
9521067 December 13, 2016 Michael et al.
9525564 December 20, 2016 Lee
9542219 January 10, 2017 Bryant et al.
9559951 January 31, 2017 Sajassi et al.
9563423 February 7, 2017 Pittman
9602389 March 21, 2017 Maveli et al.
9608917 March 28, 2017 Anderson et al.
9608962 March 28, 2017 Chang
9614748 April 4, 2017 Battersby et al.
9621460 April 11, 2017 Mehta et al.
9641551 May 2, 2017 Kariyanahalli
9648547 May 9, 2017 Hart et al.
9665432 May 30, 2017 Kruse et al.
9686127 June 20, 2017 Ramachandran et al.
9692714 June 27, 2017 Nair et al.
9715401 July 25, 2017 Devine et al.
9717021 July 25, 2017 Hughes et al.
9722815 August 1, 2017 Mukundan et al.
9747249 August 29, 2017 Cherian et al.
9755965 September 5, 2017 Yadav et al.
9787559 October 10, 2017 Schroeder
9807004 October 31, 2017 Koley et al.
9819540 November 14, 2017 Bahadur et al.
9819565 November 14, 2017 Djukic et al.
9825822 November 21, 2017 Holland
9825911 November 21, 2017 Brandwine
9825992 November 21, 2017 Xu
9832128 November 28, 2017 Ashner et al.
9832205 November 28, 2017 Santhi et al.
9875355 January 23, 2018 Williams
9906401 February 27, 2018 Rao
9923826 March 20, 2018 Murgia
9930011 March 27, 2018 Clemons, Jr. et al.
9935829 April 3, 2018 Miller et al.
9942787 April 10, 2018 Tillotson
9996370 June 12, 2018 Khafizov et al.
10038601 July 31, 2018 Becker et al.
10057183 August 21, 2018 Salle et al.
10057294 August 21, 2018 Xu
10116593 October 30, 2018 Sinn et al.
10135789 November 20, 2018 Mayya et al.
10142226 November 27, 2018 Wu et al.
10178032 January 8, 2019 Freitas
10178037 January 8, 2019 Appleby et al.
10187289 January 22, 2019 Chen et al.
10200264 February 5, 2019 Menon et al.
10229017 March 12, 2019 Zou et al.
10237123 March 19, 2019 Dubey et al.
10250498 April 2, 2019 Bales et al.
10263832 April 16, 2019 Ghosh
10320664 June 11, 2019 Nainar et al.
10320691 June 11, 2019 Matthews et al.
10326830 June 18, 2019 Singh
10348767 July 9, 2019 Lee et al.
10355989 July 16, 2019 Panchal et al.
10425382 September 24, 2019 Mayya et al.
10454708 October 22, 2019 Mibu
10454714 October 22, 2019 Mayya et al.
10461993 October 29, 2019 Turabi et al.
10498652 December 3, 2019 Mayya et al.
10511546 December 17, 2019 Singarayan et al.
10523539 December 31, 2019 Mayya et al.
10550093 February 4, 2020 Ojima et al.
10554538 February 4, 2020 Spohn et al.
10560431 February 11, 2020 Chen et al.
10565464 February 18, 2020 Han et al.
10567519 February 18, 2020 Mukhopadhyaya et al.
10574482 February 25, 2020 Oréet al.
10574528 February 25, 2020 Mayya et al.
10594516 March 17, 2020 Cidon et al.
10594591 March 17, 2020 Houjyo et al.
10594659 March 17, 2020 El-Moussa et al.
10608844 March 31, 2020 Cidon et al.
10630505 April 21, 2020 Rubenstein et al.
10637889 April 28, 2020 Ermagan et al.
10666460 May 26, 2020 Cidon et al.
10666497 May 26, 2020 Tahhan et al.
10686625 June 16, 2020 Cidon et al.
10693739 June 23, 2020 Naseri et al.
10708144 July 7, 2020 Mohan et al.
10715427 July 14, 2020 Raj et al.
10749711 August 18, 2020 Mukundan et al.
10778466 September 15, 2020 Cidon et al.
10778528 September 15, 2020 Mayya et al.
10778557 September 15, 2020 Ganichev et al.
10805114 October 13, 2020 Cidon et al.
10805272 October 13, 2020 Mayya et al.
10819564 October 27, 2020 Turabi et al.
10826775 November 3, 2020 Moreno et al.
10841131 November 17, 2020 Cidon et al.
10911374 February 2, 2021 Kumar et al.
10938693 March 2, 2021 Mayya et al.
10951529 March 16, 2021 Duan et al.
10958479 March 23, 2021 Cidon et al.
10959098 March 23, 2021 Cidon et al.
10992558 April 27, 2021 Silva et al.
10992568 April 27, 2021 Michael et al.
10999100 May 4, 2021 Cidon et al.
10999137 May 4, 2021 Cidon et al.
10999165 May 4, 2021 Cidon et al.
10999197 May 4, 2021 Hooda et al.
11005684 May 11, 2021 Cidon
11018995 May 25, 2021 Cidon et al.
11044190 June 22, 2021 Ramaswamy et al.
11050588 June 29, 2021 Mayya et al.
11050644 June 29, 2021 Hegde et al.
11071005 July 20, 2021 Shen et al.
11089111 August 10, 2021 Markuze et al.
11095612 August 17, 2021 Oswal et al.
11102032 August 24, 2021 Cidon et al.
11108595 August 31, 2021 Knutsen et al.
11108851 August 31, 2021 Kurmala et al.
11115347 September 7, 2021 Gupta et al.
11115426 September 7, 2021 Pazhyannur et al.
11115480 September 7, 2021 Markuze et al.
11121962 September 14, 2021 Michael et al.
11121985 September 14, 2021 Cidon et al.
11128492 September 21, 2021 Sethi et al.
11146632 October 12, 2021 Rubenstein
11153230 October 19, 2021 Cidon et al.
11171885 November 9, 2021 Cidon et al.
11212140 December 28, 2021 Mukundan et al.
11212238 December 28, 2021 Cidon et al.
11223514 January 11, 2022 Mayya et al.
11245641 February 8, 2022 Ramaswamy et al.
11252079 February 15, 2022 Michael et al.
11252105 February 15, 2022 Cidon et al.
11252106 February 15, 2022 Cidon et al.
11258728 February 22, 2022 Cidon et al.
11303633 April 12, 2022 Williams
11310170 April 19, 2022 Cidon et al.
11323307 May 3, 2022 Mayya et al.
11349722 May 31, 2022 Mayya et al.
11363124 June 14, 2022 Markuze et al.
11374904 June 28, 2022 Mayya et al.
11375005 June 28, 2022 Rolando et al.
11381474 July 5, 2022 Kumar et al.
11381499 July 5, 2022 Ramaswamy et al.
11388086 July 12, 2022 Ramaswamy et al.
11394640 July 19, 2022 Ramaswamy et al.
11418997 August 16, 2022 Devadoss et al.
11438789 September 6, 2022 Devadoss et al.
11444865 September 13, 2022 Ramaswamy et al.
11444872 September 13, 2022 Mayya et al.
11477127 October 18, 2022 Ramaswamy et al.
11489720 November 1, 2022 Kempanna et al.
11489783 November 1, 2022 Ramaswamy et al.
11509571 November 22, 2022 Ramaswamy et al.
11516049 November 29, 2022 Cidon et al.
11522780 December 6, 2022 Wallace et al.
11526434 December 13, 2022 Brooker et al.
11533248 December 20, 2022 Mayya et al.
11552874 January 10, 2023 Pragada et al.
11575591 February 7, 2023 Ramaswamy et al.
11575600 February 7, 2023 Markuze et al.
11582144 February 14, 2023 Ramaswamy et al.
11582298 February 14, 2023 Hood et al.
11601356 March 7, 2023 Gandhi et al.
11606225 March 14, 2023 Cidon et al.
11606286 March 14, 2023 Michael et al.
11606314 March 14, 2023 Cidon et al.
11606712 March 14, 2023 Devadoss et al.
11611507 March 21, 2023 Ramaswamy et al.
11637768 April 25, 2023 Ramaswamy et al.
11677720 June 13, 2023 Mayya et al.
11689959 June 27, 2023 Devadoss et al.
11700196 July 11, 2023 Michael et al.
11706126 July 18, 2023 Silva et al.
11706127 July 18, 2023 Michael et al.
11709710 July 25, 2023 Markuze et al.
11716286 August 1, 2023 Ramaswamy et al.
11722925 August 8, 2023 Devadoss et al.
11729065 August 15, 2023 Ramaswamy et al.
20020049687 April 25, 2002 Helsper et al.
20020075542 June 20, 2002 Kumar et al.
20020085488 July 4, 2002 Kobayashi
20020087716 July 4, 2002 Mustafa
20020152306 October 17, 2002 Tuck
20020186682 December 12, 2002 Kawano et al.
20020198840 December 26, 2002 Banka et al.
20030050061 March 13, 2003 Wu et al.
20030061269 March 27, 2003 Hathaway et al.
20030088697 May 8, 2003 Matsuhira
20030112766 June 19, 2003 Riedel et al.
20030112808 June 19, 2003 Solomon
20030126468 July 3, 2003 Markham
20030161313 August 28, 2003 Jinmei et al.
20030189919 October 9, 2003 Gupta et al.
20030202506 October 30, 2003 Perkins et al.
20030219030 November 27, 2003 Gubbi
20040059831 March 25, 2004 Chu et al.
20040068668 April 8, 2004 Lor et al.
20040165601 August 26, 2004 Liu et al.
20040224771 November 11, 2004 Chen et al.
20050078690 April 14, 2005 DeLangis
20050149604 July 7, 2005 Navada
20050154790 July 14, 2005 Nagata et al.
20050172161 August 4, 2005 Cruz et al.
20050195754 September 8, 2005 Nosella
20050210479 September 22, 2005 Andjelic
20050265255 December 1, 2005 Kodialam et al.
20060002291 January 5, 2006 Alicherry et al.
20060034335 February 16, 2006 Karaoguz et al.
20060114838 June 1, 2006 Mandavilli et al.
20060171365 August 3, 2006 Borella
20060182034 August 17, 2006 Klinker et al.
20060182035 August 17, 2006 Vasseur
20060193247 August 31, 2006 Naseh et al.
20060193252 August 31, 2006 Naseh et al.
20060195605 August 31, 2006 Sundarrajan et al.
20060245414 November 2, 2006 Susai et al.
20070050594 March 1, 2007 Augsburg et al.
20070064604 March 22, 2007 Chen et al.
20070064702 March 22, 2007 Bates et al.
20070083727 April 12, 2007 Johnston et al.
20070091794 April 26, 2007 Filsfils et al.
20070103548 May 10, 2007 Carter
20070115812 May 24, 2007 Hughes
20070121486 May 31, 2007 Guichard et al.
20070130325 June 7, 2007 Lesser
20070162619 July 12, 2007 Aloni et al.
20070162639 July 12, 2007 Chu et al.
20070177511 August 2, 2007 Das et al.
20070195797 August 23, 2007 Patel et al.
20070237081 October 11, 2007 Kodialam et al.
20070260746 November 8, 2007 Mirtorabi et al.
20070268882 November 22, 2007 Breslau et al.
20080002670 January 3, 2008 Bugenhagen et al.
20080049621 February 28, 2008 McGuire et al.
20080055241 March 6, 2008 Goldenberg et al.
20080080509 April 3, 2008 Khanna et al.
20080095187 April 24, 2008 Jung et al.
20080117930 May 22, 2008 Chakareski et al.
20080144532 June 19, 2008 Chamarajanagar et al.
20080168086 July 10, 2008 Miller et al.
20080175150 July 24, 2008 Bolt et al.
20080181116 July 31, 2008 Kavanaugh et al.
20080219276 September 11, 2008 Shah
20080240121 October 2, 2008 Xiong et al.
20080263218 October 23, 2008 Beerends et al.
20090013210 January 8, 2009 McIntosh et al.
20090028092 January 29, 2009 Rothschild
20090125617 May 14, 2009 Klessig et al.
20090141642 June 4, 2009 Sun
20090154463 June 18, 2009 Hines et al.
20090182874 July 16, 2009 Morford et al.
20090247204 October 1, 2009 Sennett et al.
20090268605 October 29, 2009 Campbell et al.
20090274045 November 5, 2009 Meier et al.
20090276657 November 5, 2009 Wetmore et al.
20090303880 December 10, 2009 Maltz et al.
20100008361 January 14, 2010 Guichard et al.
20100017802 January 21, 2010 Lojewski
20100046532 February 25, 2010 Okita
20100061379 March 11, 2010 Parandekar et al.
20100080129 April 1, 2010 Strahan et al.
20100088440 April 8, 2010 Banks et al.
20100091782 April 15, 2010 Hiscock
20100091823 April 15, 2010 Retana et al.
20100107162 April 29, 2010 Edwards et al.
20100118727 May 13, 2010 Draves et al.
20100118886 May 13, 2010 Saavedra
20100128600 May 27, 2010 Srinivasmurthy et al.
20100165985 July 1, 2010 Sharma et al.
20100191884 July 29, 2010 Holenstein et al.
20100223621 September 2, 2010 Joshi et al.
20100226246 September 9, 2010 Proulx
20100290422 November 18, 2010 Haigh et al.
20100309841 December 9, 2010 Conte
20100309912 December 9, 2010 Mehta et al.
20100322255 December 23, 2010 Hao et al.
20100332657 December 30, 2010 Elyashev et al.
20110001604 January 6, 2011 Ludlow et al.
20110007752 January 13, 2011 Silva et al.
20110032939 February 10, 2011 Nozaki et al.
20110035187 February 10, 2011 DeJori et al.
20110040814 February 17, 2011 Higgins
20110075674 March 31, 2011 Li et al.
20110078783 March 31, 2011 Duan et al.
20110107139 May 5, 2011 Middlecamp et al.
20110110370 May 12, 2011 Moreno et al.
20110141877 June 16, 2011 Xu et al.
20110142041 June 16, 2011 Imai
20110153909 June 23, 2011 Dong
20110235509 September 29, 2011 Szymanski
20110255397 October 20, 2011 Kadakia et al.
20110302663 December 8, 2011 Prodan et al.
20120008630 January 12, 2012 Ould-Brahim
20120027013 February 2, 2012 Napierala
20120039309 February 16, 2012 Evans et al.
20120099601 April 26, 2012 Haddad et al.
20120136697 May 31, 2012 Peles et al.
20120140935 June 7, 2012 Kruglick
20120157068 June 21, 2012 Eichen et al.
20120173694 July 5, 2012 Yan et al.
20120173919 July 5, 2012 Patel et al.
20120182940 July 19, 2012 Taleb et al.
20120221955 August 30, 2012 Raleigh et al.
20120227093 September 6, 2012 Shatzkamer et al.
20120240185 September 20, 2012 Kapoor et al.
20120250682 October 4, 2012 Vincent et al.
20120250686 October 4, 2012 Vincent et al.
20120266026 October 18, 2012 Chikkalingaiah et al.
20120281706 November 8, 2012 Agarwal et al.
20120287818 November 15, 2012 Corti et al.
20120300615 November 29, 2012 Kempf et al.
20120307659 December 6, 2012 Yamada
20120317270 December 13, 2012 Vrbaski et al.
20120317291 December 13, 2012 Wolfe
20130007505 January 3, 2013 Spear
20130019005 January 17, 2013 Hui et al.
20130021968 January 24, 2013 Reznik et al.
20130044764 February 21, 2013 Casado et al.
20130051237 February 28, 2013 Ong
20130051399 February 28, 2013 Zhang et al.
20130054763 February 28, 2013 Merwe et al.
20130086267 April 4, 2013 Gelenbe et al.
20130097304 April 18, 2013 Asthana et al.
20130103729 April 25, 2013 Cooney et al.
20130103834 April 25, 2013 Dzerve et al.
20130117530 May 9, 2013 Kim et al.
20130124718 May 16, 2013 Griffith et al.
20130124911 May 16, 2013 Griffith et al.
20130124912 May 16, 2013 Griffith et al.
20130128889 May 23, 2013 Mathur et al.
20130142201 June 6, 2013 Kim et al.
20130170354 July 4, 2013 Takashima et al.
20130173768 July 4, 2013 Kundu et al.
20130173788 July 4, 2013 Song
20130182712 July 18, 2013 Aguayo et al.
20130185446 July 18, 2013 Zeng et al.
20130185729 July 18, 2013 Vasic et al.
20130191688 July 25, 2013 Agarwal et al.
20130223226 August 29, 2013 Narayanan et al.
20130223454 August 29, 2013 Dunbar et al.
20130235870 September 12, 2013 Tripathi et al.
20130238782 September 12, 2013 Zhao et al.
20130242718 September 19, 2013 Zhang
20130254599 September 26, 2013 Katkar et al.
20130258839 October 3, 2013 Wang et al.
20130258847 October 3, 2013 Zhang et al.
20130266015 October 10, 2013 Qu et al.
20130266019 October 10, 2013 Qu et al.
20130283364 October 24, 2013 Chang et al.
20130286846 October 31, 2013 Atlas et al.
20130297611 November 7, 2013 Moritz et al.
20130297770 November 7, 2013 Zhang
20130301469 November 14, 2013 Suga
20130301642 November 14, 2013 Radhakrishnan et al.
20130308444 November 21, 2013 Sem-Jacobsen et al.
20130315242 November 28, 2013 Wang et al.
20130315243 November 28, 2013 Huang et al.
20130329548 December 12, 2013 Nakil et al.
20130329601 December 12, 2013 Yin et al.
20130329734 December 12, 2013 Chesla et al.
20130346470 December 26, 2013 Obstfeld et al.
20140016464 January 16, 2014 Shirazipour et al.
20140019604 January 16, 2014 Twitchell, Jr.
20140019750 January 16, 2014 Dodgson et al.
20140040975 February 6, 2014 Raleigh et al.
20140064283 March 6, 2014 Balus et al.
20140071832 March 13, 2014 Johnsson et al.
20140092907 April 3, 2014 Sridhar et al.
20140108665 April 17, 2014 Arora et al.
20140112171 April 24, 2014 Pasdar
20140115584 April 24, 2014 Mudigonda et al.
20140122559 May 1, 2014 Branson et al.
20140123135 May 1, 2014 Huang et al.
20140126418 May 8, 2014 Brendel et al.
20140156818 June 5, 2014 Hunt
20140156823 June 5, 2014 Liu et al.
20140157363 June 5, 2014 Banerjee
20140160935 June 12, 2014 Zecharia et al.
20140164560 June 12, 2014 Ko et al.
20140164617 June 12, 2014 Jalan et al.
20140164718 June 12, 2014 Schaik et al.
20140173113 June 19, 2014 Vemuri et al.
20140173331 June 19, 2014 Martin et al.
20140181824 June 26, 2014 Saund et al.
20140189074 July 3, 2014 Parker
20140208317 July 24, 2014 Nakagawa
20140219135 August 7, 2014 Li et al.
20140223507 August 7, 2014 Xu
20140229210 August 14, 2014 Sharifian et al.
20140244851 August 28, 2014 Lee
20140258535 September 11, 2014 Zhang
20140269690 September 18, 2014 Tu
20140279862 September 18, 2014 Dietz et al.
20140280499 September 18, 2014 Basavaiah et al.
20140310282 October 16, 2014 Sprague et al.
20140317440 October 23, 2014 Biermayr et al.
20140321277 October 30, 2014 Lynn, Jr. et al.
20140321430 October 30, 2014 Bakker
20140337500 November 13, 2014 Lee
20140337674 November 13, 2014 Ivancic et al.
20140341109 November 20, 2014 Cartmell et al.
20140355441 December 4, 2014 Jain
20140365834 December 11, 2014 Stone et al.
20140372582 December 18, 2014 Ghanwani et al.
20150003240 January 1, 2015 Drwiega et al.
20150016249 January 15, 2015 Mukundan et al.
20150029864 January 29, 2015 Raileanu et al.
20150039744 February 5, 2015 Niazi et al.
20150046572 February 12, 2015 Cheng et al.
20150052247 February 19, 2015 Threefoot et al.
20150052517 February 19, 2015 Raghu et al.
20150056960 February 26, 2015 Egner et al.
20150058917 February 26, 2015 Xu
20150088942 March 26, 2015 Shah
20150089628 March 26, 2015 Lang
20150092603 April 2, 2015 Aguayo et al.
20150096011 April 2, 2015 Watt
20150100958 April 9, 2015 Banavalikar et al.
20150106809 April 16, 2015 Reddy et al.
20150124603 May 7, 2015 Ketheesan et al.
20150134777 May 14, 2015 Onoue
20150139238 May 21, 2015 Pourzandi et al.
20150146539 May 28, 2015 Mehta et al.
20150163152 June 11, 2015 Li
20150169340 June 18, 2015 Haddad et al.
20150172121 June 18, 2015 Farkas et al.
20150172169 June 18, 2015 DeCusatis et al.
20150188823 July 2, 2015 Williams et al.
20150189009 July 2, 2015 Bemmel
20150195178 July 9, 2015 Bhattacharya et al.
20150201036 July 16, 2015 Nishiki et al.
20150222543 August 6, 2015 Song
20150222638 August 6, 2015 Morley
20150236945 August 20, 2015 Michael et al.
20150236962 August 20, 2015 Veres et al.
20150244617 August 27, 2015 Nakil et al.
20150249644 September 3, 2015 Xu
20150257081 September 10, 2015 Ramanujan et al.
20150264055 September 17, 2015 Budhani et al.
20150271056 September 24, 2015 Chunduri et al.
20150271104 September 24, 2015 Chikkamath et al.
20150271303 September 24, 2015 Neginhal et al.
20150281004 October 1, 2015 Kakadia et al.
20150312142 October 29, 2015 Barabash et al.
20150312760 October 29, 2015 O'Toole
20150317169 November 5, 2015 Sinha et al.
20150326426 November 12, 2015 Luo et al.
20150334025 November 19, 2015 Rader
20150334696 November 19, 2015 Gu et al.
20150341271 November 26, 2015 Gomez
20150349978 December 3, 2015 Wu et al.
20150350907 December 3, 2015 Timariu et al.
20150358232 December 10, 2015 Chen et al.
20150358236 December 10, 2015 Roach et al.
20150363221 December 17, 2015 Terayama et al.
20150363733 December 17, 2015 Brown
20150365323 December 17, 2015 Duminuco et al.
20150372943 December 24, 2015 Hasan et al.
20150372982 December 24, 2015 Herle et al.
20150381407 December 31, 2015 Wang et al.
20150381462 December 31, 2015 Choi et al.
20150381493 December 31, 2015 Bansal et al.
20160019317 January 21, 2016 Pawar et al.
20160020844 January 21, 2016 Hart et al.
20160021597 January 21, 2016 Hart et al.
20160035183 February 4, 2016 Buchholz et al.
20160036924 February 4, 2016 Koppolu et al.
20160036938 February 4, 2016 Aviles et al.
20160037434 February 4, 2016 Gopal et al.
20160072669 March 10, 2016 Saavedra
20160072684 March 10, 2016 Manuguri et al.
20160080268 March 17, 2016 Anand et al.
20160080502 March 17, 2016 Yadav et al.
20160105353 April 14, 2016 Cociglio
20160105392 April 14, 2016 Thakkar et al.
20160105471 April 14, 2016 Nunes et al.
20160105488 April 14, 2016 Thakkar et al.
20160117185 April 28, 2016 Fang et al.
20160134461 May 12, 2016 Sampath et al.
20160134527 May 12, 2016 Kwak et al.
20160134528 May 12, 2016 Lin et al.
20160134591 May 12, 2016 Liao et al.
20160142373 May 19, 2016 Ossipov
20160147607 May 26, 2016 Dornemann et al.
20160150055 May 26, 2016 Choi
20160164832 June 9, 2016 Bellagamba et al.
20160164914 June 9, 2016 Madhav et al.
20160173338 June 16, 2016 Wolting
20160191363 June 30, 2016 Haraszti et al.
20160191374 June 30, 2016 Singh et al.
20160192403 June 30, 2016 Gupta et al.
20160197834 July 7, 2016 Luft
20160197835 July 7, 2016 Luft
20160198003 July 7, 2016 Luft
20160205071 July 14, 2016 Cooper et al.
20160210209 July 21, 2016 Verkaik et al.
20160212773 July 21, 2016 Kanderholm et al.
20160218947 July 28, 2016 Hughes et al.
20160218951 July 28, 2016 Vasseur et al.
20160234099 August 11, 2016 Jiao
20160234161 August 11, 2016 Banerjee et al.
20160255169 September 1, 2016 Kovvuri et al.
20160255542 September 1, 2016 Hughes et al.
20160261493 September 8, 2016 Li
20160261495 September 8, 2016 Xia et al.
20160261506 September 8, 2016 Hegde et al.
20160261639 September 8, 2016 Xu
20160269298 September 15, 2016 Li et al.
20160269926 September 15, 2016 Sundaram
20160285736 September 29, 2016 Gu
20160299775 October 13, 2016 Madapurath et al.
20160301471 October 13, 2016 Kunz et al.
20160308762 October 20, 2016 Teng et al.
20160315912 October 27, 2016 Mayya et al.
20160323377 November 3, 2016 Einkauf et al.
20160328159 November 10, 2016 Coddington et al.
20160330111 November 10, 2016 Manghirmalani et al.
20160337202 November 17, 2016 Ben-Itzhak et al.
20160352588 December 1, 2016 Subbarayan et al.
20160353268 December 1, 2016 Senarath et al.
20160359738 December 8, 2016 Sullenberger et al.
20160366187 December 15, 2016 Kamble
20160371153 December 22, 2016 Dornemann
20160378527 December 29, 2016 Zamir
20160380886 December 29, 2016 Blair et al.
20160380906 December 29, 2016 Hodique et al.
20170005986 January 5, 2017 Bansal et al.
20170006499 January 5, 2017 Hampel et al.
20170012870 January 12, 2017 Blair et al.
20170019428 January 19, 2017 Cohn
20170024260 January 26, 2017 Chandrasekaran et al.
20170026273 January 26, 2017 Yao et al.
20170026283 January 26, 2017 Williams et al.
20170026355 January 26, 2017 Mathaiyan et al.
20170034046 February 2, 2017 Cai et al.
20170034052 February 2, 2017 Chanda et al.
20170034129 February 2, 2017 Sawant et al.
20170048296 February 16, 2017 Ramalho et al.
20170053258 February 23, 2017 Carney et al.
20170055131 February 23, 2017 Kong et al.
20170063674 March 2, 2017 Maskalik et al.
20170063782 March 2, 2017 Jain et al.
20170063783 March 2, 2017 Yong et al.
20170063787 March 2, 2017 Kwok
20170063794 March 2, 2017 Jain et al.
20170064005 March 2, 2017 Lee
20170075710 March 16, 2017 Prasad et al.
20170093625 March 30, 2017 Pera et al.
20170097841 April 6, 2017 Chang et al.
20170104653 April 13, 2017 Badea et al.
20170104755 April 13, 2017 Arregoces et al.
20170109212 April 20, 2017 Gaurav et al.
20170118067 April 27, 2017 Vedula
20170118173 April 27, 2017 Arramreddy et al.
20170123939 May 4, 2017 Maheshwari et al.
20170126475 May 4, 2017 Mahkonen et al.
20170126516 May 4, 2017 Tiagi et al.
20170126564 May 4, 2017 Mayya et al.
20170134186 May 11, 2017 Mukundan et al.
20170134520 May 11, 2017 Abbasi et al.
20170139789 May 18, 2017 Fries et al.
20170142000 May 18, 2017 Cai et al.
20170149637 May 25, 2017 Banikazemi et al.
20170155557 June 1, 2017 Desai et al.
20170155566 June 1, 2017 Martinsen et al.
20170155590 June 1, 2017 Dillon et al.
20170163473 June 8, 2017 Sadana et al.
20170171024 June 15, 2017 Anerousis et al.
20170171310 June 15, 2017 Gardner
20170180220 June 22, 2017 Leckey et al.
20170181210 June 22, 2017 Nadella et al.
20170195161 July 6, 2017 Ruel et al.
20170195169 July 6, 2017 Mills et al.
20170201568 July 13, 2017 Hussam et al.
20170201585 July 13, 2017 Doraiswamy et al.
20170207976 July 20, 2017 Rovner et al.
20170214545 July 27, 2017 Cheng et al.
20170214701 July 27, 2017 Hasan
20170223117 August 3, 2017 Messerli et al.
20170236060 August 17, 2017 Ignatyev
20170237710 August 17, 2017 Mayya et al.
20170242784 August 24, 2017 Heorhiadi et al.
20170257260 September 7, 2017 Govindan et al.
20170257309 September 7, 2017 Appanna
20170264496 September 14, 2017 Ao et al.
20170279717 September 28, 2017 Bethers et al.
20170279741 September 28, 2017 Elias et al.
20170279803 September 28, 2017 Desai et al.
20170280474 September 28, 2017 Vesterinen et al.
20170288987 October 5, 2017 Pasupathy et al.
20170289002 October 5, 2017 Ganguli et al.
20170289027 October 5, 2017 Ratnasingham
20170295264 October 12, 2017 Touitou et al.
20170302501 October 19, 2017 Shi et al.
20170302565 October 19, 2017 Ghobadi et al.
20170310641 October 26, 2017 Jiang et al.
20170310691 October 26, 2017 Vasseur et al.
20170317945 November 2, 2017 Guo et al.
20170317954 November 2, 2017 Masurekar et al.
20170317969 November 2, 2017 Masurekar et al.
20170317974 November 2, 2017 Masurekar et al.
20170324628 November 9, 2017 Dhanabalan
20170337086 November 23, 2017 Zhu et al.
20170339022 November 23, 2017 Hegde et al.
20170339054 November 23, 2017 Yadav et al.
20170339070 November 23, 2017 Chang et al.
20170346722 November 30, 2017 Smith et al.
20170364419 December 21, 2017 Lo
20170366445 December 21, 2017 Nemirovsky et al.
20170366467 December 21, 2017 Martin et al.
20170373950 December 28, 2017 Szilagyi et al.
20170374174 December 28, 2017 Evens et al.
20180006995 January 4, 2018 Bickhart et al.
20180007005 January 4, 2018 Chanda et al.
20180007123 January 4, 2018 Cheng et al.
20180013636 January 11, 2018 Seetharamaiah et al.
20180014051 January 11, 2018 Phillips et al.
20180020035 January 18, 2018 Boggia et al.
20180034668 February 1, 2018 Mayya et al.
20180041425 February 8, 2018 Zhang
20180062875 March 1, 2018 Tumuluru
20180062914 March 1, 2018 Boutros et al.
20180062917 March 1, 2018 Chandrashekhar et al.
20180063036 March 1, 2018 Chandrashekhar et al.
20180063193 March 1, 2018 Chandrashekhar et al.
20180063233 March 1, 2018 Park
20180063743 March 1, 2018 Tumuluru et al.
20180069924 March 8, 2018 Tumuluru et al.
20180074909 March 15, 2018 Bishop et al.
20180077081 March 15, 2018 Lauer et al.
20180077202 March 15, 2018 Xu
20180084081 March 22, 2018 Kuchibhotla et al.
20180091370 March 29, 2018 Arai
20180097725 April 5, 2018 Wood et al.
20180114569 April 26, 2018 Strachan et al.
20180123910 May 3, 2018 Fitzgibbon
20180123946 May 3, 2018 Ramachandran et al.
20180131608 May 10, 2018 Jiang et al.
20180131615 May 10, 2018 Zhang
20180131720 May 10, 2018 Hobson et al.
20180145899 May 24, 2018 Rao
20180159796 June 7, 2018 Wang et al.
20180159856 June 7, 2018 Gujarathi
20180167378 June 14, 2018 Kostyukov et al.
20180176073 June 21, 2018 Dubey et al.
20180176082 June 21, 2018 Katz et al.
20180176130 June 21, 2018 Banerjee et al.
20180176252 June 21, 2018 Nimmagadda et al.
20180181423 June 28, 2018 Gunda et al.
20180205746 July 19, 2018 Boutnaru et al.
20180213472 July 26, 2018 Ishii et al.
20180219765 August 2, 2018 Michael et al.
20180219766 August 2, 2018 Michael et al.
20180234300 August 16, 2018 Mayya et al.
20180248790 August 30, 2018 Tan et al.
20180260125 September 13, 2018 Botes et al.
20180261085 September 13, 2018 Liu et al.
20180262468 September 13, 2018 Kumar et al.
20180270104 September 20, 2018 Zheng et al.
20180278541 September 27, 2018 Wu et al.
20180287907 October 4, 2018 Kulshreshtha et al.
20180295101 October 11, 2018 Gehrmann
20180295529 October 11, 2018 Jen et al.
20180302286 October 18, 2018 Mayya et al.
20180302321 October 18, 2018 Manthiramoorthy et al.
20180307851 October 25, 2018 Lewis
20180316606 November 1, 2018 Sung et al.
20180351855 December 6, 2018 Sood et al.
20180351862 December 6, 2018 Jeganathan et al.
20180351863 December 6, 2018 Vairavakkalai et al.
20180351882 December 6, 2018 Jeganathan et al.
20180359323 December 13, 2018 Madden
20180367445 December 20, 2018 Bajaj
20180373558 December 27, 2018 Chang et al.
20180375744 December 27, 2018 Mayya et al.
20180375824 December 27, 2018 Mayya et al.
20180375967 December 27, 2018 Pithawala et al.
20190013883 January 10, 2019 Vargas et al.
20190014038 January 10, 2019 Ritchie
20190020588 January 17, 2019 Twitchell, Jr.
20190020627 January 17, 2019 Yuan
20190021085 January 17, 2019 Mochizuki et al.
20190028378 January 24, 2019 Houjyo et al.
20190028552 January 24, 2019 Johnson et al.
20190036808 January 31, 2019 Shenoy et al.
20190036810 January 31, 2019 Michael et al.
20190036813 January 31, 2019 Shenoy et al.
20190046056 February 14, 2019 Khachaturian et al.
20190058657 February 21, 2019 Chunduri et al.
20190058709 February 21, 2019 Kempf et al.
20190068470 February 28, 2019 Mirsky
20190068493 February 28, 2019 Ram et al.
20190068500 February 28, 2019 Hira
20190075083 March 7, 2019 Mayya et al.
20190081894 March 14, 2019 Yousaf et al.
20190103990 April 4, 2019 Cidon et al.
20190103991 April 4, 2019 Cidon et al.
20190103992 April 4, 2019 Cidon et al.
20190103993 April 4, 2019 Cidon et al.
20190104035 April 4, 2019 Cidon et al.
20190104049 April 4, 2019 Cidon et al.
20190104050 April 4, 2019 Cidon et al.
20190104051 April 4, 2019 Cidon et al.
20190104052 April 4, 2019 Cidon et al.
20190104053 April 4, 2019 Cidon et al.
20190104063 April 4, 2019 Cidon et al.
20190104064 April 4, 2019 Cidon et al.
20190104109 April 4, 2019 Cidon et al.
20190104111 April 4, 2019 Cidon et al.
20190104413 April 4, 2019 Cidon et al.
20190109769 April 11, 2019 Jain et al.
20190132221 May 2, 2019 Boutros et al.
20190132234 May 2, 2019 Dong et al.
20190132322 May 2, 2019 Song et al.
20190140889 May 9, 2019 Mayya et al.
20190140890 May 9, 2019 Mayya et al.
20190149525 May 16, 2019 Gunda et al.
20190158371 May 23, 2019 Dillon et al.
20190158605 May 23, 2019 Markuze et al.
20190199539 June 27, 2019 Deng et al.
20190220703 July 18, 2019 Prakash et al.
20190222499 July 18, 2019 Chen et al.
20190238364 August 1, 2019 Boutros et al.
20190238446 August 1, 2019 Barzik et al.
20190238449 August 1, 2019 Michael et al.
20190238450 August 1, 2019 Michael et al.
20190238483 August 1, 2019 Marichetty et al.
20190238497 August 1, 2019 Tourrilhes et al.
20190268421 August 29, 2019 Markuze et al.
20190268973 August 29, 2019 Bull
20190278631 September 12, 2019 Bernat et al.
20190280962 September 12, 2019 Michael et al.
20190280963 September 12, 2019 Michael et al.
20190280964 September 12, 2019 Michael et al.
20190288875 September 19, 2019 Shen et al.
20190306197 October 3, 2019 Degioanni
20190306282 October 3, 2019 Masputra et al.
20190313278 October 10, 2019 Liu
20190313907 October 17, 2019 Khachaturian et al.
20190319847 October 17, 2019 Nahar et al.
20190319881 October 17, 2019 Maskara et al.
20190327109 October 24, 2019 Guichard et al.
20190334786 October 31, 2019 Dutta et al.
20190334813 October 31, 2019 Raj et al.
20190334820 October 31, 2019 Zhao
20190342201 November 7, 2019 Singh
20190342219 November 7, 2019 Liu et al.
20190356736 November 21, 2019 Narayanaswamy et al.
20190364099 November 28, 2019 Thakkar et al.
20190364456 November 28, 2019 Yu
20190372888 December 5, 2019 Michael et al.
20190372889 December 5, 2019 Michael et al.
20190372890 December 5, 2019 Michael et al.
20190394081 December 26, 2019 Tahhan et al.
20200014609 January 9, 2020 Hockett et al.
20200014615 January 9, 2020 Michael et al.
20200014616 January 9, 2020 Michael et al.
20200014661 January 9, 2020 Mayya et al.
20200014663 January 9, 2020 Chen et al.
20200021514 January 16, 2020 Michael et al.
20200021515 January 16, 2020 Michael et al.
20200036624 January 30, 2020 Michael et al.
20200044943 February 6, 2020 Bor-Yaliniz et al.
20200044969 February 6, 2020 Hao et al.
20200059420 February 20, 2020 Abraham
20200059457 February 20, 2020 Raza et al.
20200059459 February 20, 2020 Abraham et al.
20200067831 February 27, 2020 Spraggins et al.
20200092207 March 19, 2020 Sipra et al.
20200097327 March 26, 2020 Beyer et al.
20200099625 March 26, 2020 Yigit et al.
20200099659 March 26, 2020 Cometto et al.
20200106696 April 2, 2020 Michael et al.
20200106706 April 2, 2020 Mayya et al.
20200119952 April 16, 2020 Mayya et al.
20200127905 April 23, 2020 Mayya et al.
20200127911 April 23, 2020 Gilson et al.
20200153701 May 14, 2020 Mohan et al.
20200153736 May 14, 2020 Liebherr et al.
20200159661 May 21, 2020 Keymolen et al.
20200162407 May 21, 2020 Tillotson
20200169473 May 28, 2020 Rimar et al.
20200177503 June 4, 2020 Hooda et al.
20200177550 June 4, 2020 Valluri et al.
20200177629 June 4, 2020 Hooda et al.
20200186471 June 11, 2020 Shen et al.
20200195557 June 18, 2020 Duan et al.
20200204460 June 25, 2020 Schneider et al.
20200213212 July 2, 2020 Dillon et al.
20200213224 July 2, 2020 Cheng et al.
20200218558 July 9, 2020 Sreenath et al.
20200235990 July 23, 2020 Janakiraman et al.
20200235999 July 23, 2020 Mayya et al.
20200236046 July 23, 2020 Jain et al.
20200241927 July 30, 2020 Yang et al.
20200244721 July 30, 2020 S et al.
20200252234 August 6, 2020 Ramamoorthi et al.
20200259700 August 13, 2020 Bhalla et al.
20200267184 August 20, 2020 Vera-Schockner
20200267203 August 20, 2020 Jindal et al.
20200280587 September 3, 2020 Janakiraman et al.
20200287819 September 10, 2020 Theogaraj et al.
20200287976 September 10, 2020 Theogaraj et al.
20200296011 September 17, 2020 Jain et al.
20200296026 September 17, 2020 Michael et al.
20200301764 September 24, 2020 Thoresen et al.
20200314006 October 1, 2020 Mackie et al.
20200314614 October 1, 2020 Moustafa et al.
20200322230 October 8, 2020 Natal et al.
20200322287 October 8, 2020 Connor et al.
20200336336 October 22, 2020 Sethi et al.
20200344089 October 29, 2020 Motwani et al.
20200344143 October 29, 2020 Faseela et al.
20200344163 October 29, 2020 Gupta et al.
20200351188 November 5, 2020 Arora et al.
20200358878 November 12, 2020 Bansal et al.
20200366530 November 19, 2020 Mukundan et al.
20200366562 November 19, 2020 Mayya et al.
20200382345 December 3, 2020 Zhao et al.
20200382387 December 3, 2020 Pasupathy et al.
20200403821 December 24, 2020 Dev et al.
20200412483 December 31, 2020 Tan et al.
20200412576 December 31, 2020 Kondapavuluru et al.
20200413283 December 31, 2020 Shen et al.
20210006482 January 7, 2021 Hwang et al.
20210006490 January 7, 2021 Michael et al.
20210021538 January 21, 2021 Meck et al.
20210029019 January 28, 2021 Kottapalli
20210029088 January 28, 2021 Mayya et al.
20210036888 February 4, 2021 Makkalla et al.
20210036987 February 4, 2021 Mishra et al.
20210037159 February 4, 2021 Shimokawa
20210049191 February 18, 2021 Masson et al.
20210067372 March 4, 2021 Cidon et al.
20210067373 March 4, 2021 Cidon et al.
20210067374 March 4, 2021 Cidon et al.
20210067375 March 4, 2021 Cidon et al.
20210067407 March 4, 2021 Cidon et al.
20210067427 March 4, 2021 Cidon et al.
20210067442 March 4, 2021 Sundararajan et al.
20210067461 March 4, 2021 Cidon et al.
20210067464 March 4, 2021 Cidon et al.
20210067467 March 4, 2021 Cidon et al.
20210067468 March 4, 2021 Cidon et al.
20210073001 March 11, 2021 Rogers et al.
20210092062 March 25, 2021 Dhanabalan et al.
20210099360 April 1, 2021 Parsons et al.
20210105199 April 8, 2021 H et al.
20210111998 April 15, 2021 Saavedra
20210112034 April 15, 2021 Sundararajan et al.
20210126830 April 29, 2021 R. et al.
20210126853 April 29, 2021 Ramaswamy et al.
20210126854 April 29, 2021 Guo et al.
20210126860 April 29, 2021 Ramaswamy et al.
20210144091 May 13, 2021 H et al.
20210160169 May 27, 2021 Shen et al.
20210160813 May 27, 2021 Gupta et al.
20210176255 June 10, 2021 Hill et al.
20210184952 June 17, 2021 Mayya et al.
20210184966 June 17, 2021 Ramaswamy et al.
20210184983 June 17, 2021 Ramaswamy et al.
20210194814 June 24, 2021 Roux et al.
20210226880 July 22, 2021 Ramamoorthy et al.
20210234728 July 29, 2021 Cidon et al.
20210234775 July 29, 2021 Devadoss et al.
20210234786 July 29, 2021 Devadoss et al.
20210234804 July 29, 2021 Devadoss et al.
20210234805 July 29, 2021 Devadoss et al.
20210235312 July 29, 2021 Devadoss et al.
20210235313 July 29, 2021 Devadoss et al.
20210266262 August 26, 2021 Subramanian et al.
20210279069 September 9, 2021 Salgaonkar et al.
20210314289 October 7, 2021 Chandrashekhar et al.
20210314385 October 7, 2021 Pande et al.
20210328835 October 21, 2021 Mayya et al.
20210336880 October 28, 2021 Gupta et al.
20210377109 December 2, 2021 Shrivastava et al.
20210377156 December 2, 2021 Michael et al.
20210392060 December 16, 2021 Silva et al.
20210392070 December 16, 2021 Tootaghaj et al.
20210399920 December 23, 2021 Sundararajan et al.
20210399978 December 23, 2021 Michael et al.
20210400113 December 23, 2021 Markuze et al.
20210400512 December 23, 2021 Agarwal et al.
20210409277 December 30, 2021 Jeuk et al.
20220006726 January 6, 2022 Michael et al.
20220006751 January 6, 2022 Ramaswamy et al.
20220006756 January 6, 2022 Ramaswamy et al.
20220029902 January 27, 2022 Shemer et al.
20220035673 February 3, 2022 Markuze et al.
20220038370 February 3, 2022 Vasseur et al.
20220038557 February 3, 2022 Markuze et al.
20220045927 February 10, 2022 Liu et al.
20220052928 February 17, 2022 Sundararajan et al.
20220061059 February 24, 2022 Dunsmore et al.
20220086035 March 17, 2022 Devaraj et al.
20220094644 March 24, 2022 Cidon et al.
20220123961 April 21, 2022 Mukundan et al.
20220131740 April 28, 2022 Mayya et al.
20220131807 April 28, 2022 Srinivas et al.
20220131898 April 28, 2022 Hooda et al.
20220141184 May 5, 2022 Oswal et al.
20220158923 May 19, 2022 Ramaswamy et al.
20220158924 May 19, 2022 Ramaswamy et al.
20220158926 May 19, 2022 Wennerström et al.
20220166713 May 26, 2022 Markuze et al.
20220191719 June 16, 2022 Roy
20220198229 June 23, 2022 López et al.
20220210035 June 30, 2022 Hendrickson et al.
20220210041 June 30, 2022 Gandhi et al.
20220210042 June 30, 2022 Gandhi et al.
20220210122 June 30, 2022 Levin et al.
20220217015 July 7, 2022 Vuggrala et al.
20220231949 July 21, 2022 Ramaswamy et al.
20220231950 July 21, 2022 Ramaswamy et al.
20220232411 July 21, 2022 Vijayakumar et al.
20220239596 July 28, 2022 Kumar et al.
20220294701 September 15, 2022 Mayya et al.
20220335027 October 20, 2022 Seshadri et al.
20220337553 October 20, 2022 Mayya et al.
20220353152 November 3, 2022 Ramaswamy
20220353171 November 3, 2022 Ramaswamy et al.
20220353175 November 3, 2022 Ramaswamy et al.
20220353182 November 3, 2022 Ramaswamy et al.
20220353190 November 3, 2022 Ramaswamy et al.
20220360500 November 10, 2022 Ramaswamy et al.
20220407773 December 22, 2022 Kempanna et al.
20220407774 December 22, 2022 Kempanna et al.
20220407790 December 22, 2022 Kempanna et al.
20220407820 December 22, 2022 Kempanna et al.
20220407915 December 22, 2022 Kempanna et al.
20230006929 January 5, 2023 Mayya et al.
20230025586 January 26, 2023 Rolando et al.
20230026330 January 26, 2023 Rolando et al.
20230026865 January 26, 2023 Rolando et al.
20230028872 January 26, 2023 Ramaswamy
20230039869 February 9, 2023 Ramaswamy et al.
20230041916 February 9, 2023 Zhang et al.
20230054961 February 23, 2023 Ramaswamy et al.
20230105680 April 6, 2023 Simlai et al.
20230121871 April 20, 2023 Mayya et al.
20230179445 June 8, 2023 Cidon et al.
20230179502 June 8, 2023 Ramaswamy et al.
20230179521 June 8, 2023 Markuze et al.
20230179543 June 8, 2023 Cidon et al.
20230216768 July 6, 2023 Zohar et al.
20230216801 July 6, 2023 Markuze et al.
20230216804 July 6, 2023 Zohar et al.
20230221874 July 13, 2023 Markuze et al.
20230224356 July 13, 2023 Markuze et al.
20230224759 July 13, 2023 Ramaswamy
20230231845 July 20, 2023 Manoharan et al.
20230239234 July 27, 2023 Zohar et al.
20230261974 August 17, 2023 Ramaswamy et al.
Foreign Patent Documents
1926809 March 2007 CN
102577270 July 2012 CN
102811165 December 2012 CN
104956329 September 2015 CN
106230650 December 2016 CN
106656847 May 2017 CN
106998284 August 2017 CN
110447209 November 2019 CN
111198764 May 2020 CN
1912381 April 2008 EP
2538637 December 2012 EP
2763362 August 2014 EP
3041178 July 2016 EP
3297211 March 2018 EP
3509256 July 2019 EP
3346650 November 2019 EP
2002368792 December 2002 JP
2010233126 October 2010 JP
2014200010 October 2014 JP
2017059991 March 2017 JP
2017524290 August 2017 JP
20170058201 May 2017 KR
2574350 February 2016 RU
03073701 September 2003 WO
2005071861 August 2005 WO
2007016834 February 2007 WO
2012167184 December 2012 WO
2015092565 June 2015 WO
2016061546 April 2016 WO
2016123314 August 2016 WO
2017083975 May 2017 WO
2019070611 April 2019 WO
2019094522 May 2019 WO
2020012491 January 2020 WO
2020018704 January 2020 WO
2020091777 May 2020 WO
2020101922 May 2020 WO
2020112345 June 2020 WO
2021040934 March 2021 WO
2021118717 June 2021 WO
2021150465 July 2021 WO
2021211906 October 2021 WO
2022005607 January 2022 WO
2022082680 April 2022 WO
2022154850 July 2022 WO
2022159156 July 2022 WO
2022231668 November 2022 WO
2022235303 November 2022 WO
2022265681 December 2022 WO
2023009159 February 2023 WO
Other references
  • Yap, Kok-Kiong, et al., “Taking the Edge off with Espresso: Scale, Reliability and Programmability for Global Internet Peering,” SIGCOMM '17: Proceedings of the Conference of the ACM Special Interest Group on Data Communication, Aug. 21-25, 2017, 14 pages, Los Angeles, CA.
  • Zakurdaev, Gieorgi, et al., “Dynamic On-Demand Virtual Extensible LAN Tunnels via Software-Defined Wide Area Networks,” 2022 IEEE 12th Annual Computing and Communication Workshop and Conference, Jan. 26-29, 2022, 6 pages, IEEE, Las Vegas, NV, USA.
  • Alsaeedi, Mohammed, et al., “Toward Adaptive and Scalable OpenFlow-SDN Flow Control: A Survey,” IEEE Access, Aug. 1, 2019, 34 pages, vol. 7, IEEE, retrieved from https://ieeexplore.ieee.org/document/8784036.
  • Alvizu, Rodolfo, et al., “SDN-Based Network Orchestration for New Dynamic Enterprise Networking Services,” 2017 19th International Conference on Transparent Optical Networks, Jul. 2-6, 2017, 4 pages, IEEE, Girona, Spain.
  • Author Unknown, “VeloCloud Administration Guide: VMware SD-WAN by VeloCloud 3.3,” Month Unknown 2019, 366 pages, VMware, Inc., Palo Alto, CA, USA.
  • Barozet, Jean-Marc, “Cisco SD-WAN as a Managed Service,” BRKRST-2558, Jan. 27-31, 2020, 98 pages, Cisco, Barcelona, Spain, retrieved from https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKRST-2558.pdf.
  • Barozet, Jean-Marc, “Cisco SDWAN,” Deep Dive, Dec. 2017, 185 pages, Cisco, Retreived from https://www.coursehero.com/file/71671376/Cisco-SDWAN-Deep-Divepdf/.
  • Bertaux, Lionel, et al., “Software Defined Networking and Virtualization for Broadband Satellite Networks,” IEEE Communications Magazine, Mar. 18, 2015, 7 pages, vol. 53, IEEE, retrieved from https://ieeexplore.ieee.org/document/7060482.
  • Cox, Jacob H., et al., “Advancing Software-Defined Networks: A Survey,” IEEE Access, Oct. 12, 2017, 40 pages, vol. 5, IEEE, retrieved from https://ieeexplore.ieee.org/document/8066287.
  • Del Piccolo, Valentin, et al., “A Survey of Network Isolation Solutions for Multi-Tenant Data Centers,” IEEE Communications Society, Apr. 20, 2016, vol. 18, No. 4, 37 pages, IEEE.
  • Duan, Zhenhai, et al., “Service Overlay Networks: SLAs, QoS, and Bandwidth Provisioning,” IEEE/ACM Transactions on Networking, Dec. 2003, 14 pages, vol. 11, IEEE, New York, NY, USA.
  • Fortz, Bernard, et al., “Internet Traffic Engineering by Optimizing OSPF Weights,” Proceedings IEEE Infocom 2000, Conference on Computer Communications, Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies, Mar. 26-30, 2000, 11 pages, IEEE, Tel Aviv, Israel, Israel.
  • Francois, Frederic, et al., “Optimizing Secure SDN-enabled Inter-Data Centre Overlay Networks through Cognitive Routing,” 2016 IEEE 24th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS), Sep. 19-21, 2016, 10 pages, IEEE, London, UK.
  • Funabiki, Nobuo, et al., “A Frame Aggregation Extension of Routing Algorithm for Wireless Mesh Networks,” 2014 Second International Symposium on Computing and Networking, Dec. 10-12, 2014, 5 pages, IEEE, Shizuoka, Japan.
  • Guo, Xiangyi, et al., U.S. Appl. No. 62/925,193, filed Oct. 23, 2019, 26 pages.
  • Huang, Cancan, et al., “Modification of Q.SD-WAN,” Rapporteur Group Meeting—Doc, Study Period 2017-2020, Q4/11-DOC1 (190410), Study Group 11, Apr. 10, 2019, 19 pages, International Telecommunication Union, Geneva, Switzerland.
  • Jivorasetkul, Supalerk, et al., “End-to-End Header Compression over Software-Defined Networks: a Low Latency Network Architecture,” 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, Sep. 19-21, 2012, 2 pages, IEEE, Bucharest, Romania.
  • Lasserre, Marc, et al., “Framework for Data Center (DC) Network Virtualization,” RFC 7365, Oct. 2014, 26 pages, IETF.
  • Li, Shengru, et al., “Source Routing with Protocol-oblivious Forwarding (POF) to Enable Efficient e-Health Data Transfers,” 2016 IEEE International Conference on Communications (ICC), May 22-27, 2016, 6 pages, IEEE, Kuala Lumpur, Malaysia.
  • Lin, Weidong, et al., “Using Path Label Routing in Wide Area Software-Defined Networks with Open Flow,” 2016 International Conference on Networking and Network Applications, Jul. 2016, 6 pages, IEEE.
  • Long, Feng, “Research and Application of Cloud Storage Technology in University Information Service,” Chinese Excellent Masters' Theses Full-text Database, Mar. 2013, 72 pages, China Academic Journals Electronic Publishing House, China.
  • Michael, Nithin, et al., “HALO: Hop-by-Hop Adaptive Link-State Optimal Routing,” IEEE/ACM Transactions on Networking, Dec. 2015, 14 pages, vol. 23, No. 6, IEEE.
  • Ming, Gao, et al., “A Design of SD-WAN-Oriented Wide Area Network Access,” 2020 International Conference on Computer Communication and Network Security (CCNS), Aug. 21-23, 2020, 4 pages, IEEE, Xi'an, China.
  • Mishra, Mayank, et al., “Managing Network Reservation for Tenants in Oversubscribed Clouds,” 2013 IEEE 21st International Symposium on Modelling, Analysis and Simulation of Computer and Telecommunication Systems, Aug. 14-16, 2013, 10 pages, IEEE, San Francisco, CA, USA.
  • Mudigonda, Jayaram, et al., “NetLord: A Scalable Multi-Tenant Network Architecture for Virtualized Datacenters,” Proceedings of the ACM SIGCOMM 2011 Conference, Aug. 15-19, 2011, 12 pages, ACM, Toronto, Canada.
  • Non-Published Commonly Owned U.S. Appl. No. 17/833,555, filed Jun. 6, 2022, 34 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 17/833,566, filed Jun. 6, 2022, 35 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 17/976,717, filed Oct. 28, 2022, 37 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/100,369, filed Jan. 23, 2023, 55 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/100,381, filed Jan. 23, 2023, 55 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/100,397, filed Jan. 23, 2023, 55 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/126,989, filed Mar. 27, 2023, 83 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/126,990, filed Mar. 27, 2023, 84 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/126,991, filed Mar. 27, 2023, 84 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/126,992, filed Mar. 27, 2023, 84 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/197,090, filed May 14, 2023, 36 pages, Nicira, Inc.
  • Non-Published Commonly Owned Related U.S. Appl. No. 18/208,352 with similar specification, filed Jun. 12, 2023, 69 pages, VMware, Inc.
  • Non-Published Commonly Owned Related U.S. Appl. No. 18/208,356 with similar specification, filed Jun. 12, 2023, 69 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/211,568, filed Jun. 19, 2023, 37 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/222,864, filed Jul. 17, 2023, 350 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/222,868, filed Jul. 17, 2023, 22 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/224,466, filed Jul. 20, 2023, 56 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 18/235,879, filed Aug. 20, 2023, 173 pages, VMware, Inc.
  • Non-Published Commonly Owned U.S. Appl. No. 15/803,964, filed Nov. 6, 2017, 15 pages, The Mode Group.
  • Noormohammadpour, Mohammad, et al., “DCRoute: Speeding up Inter-Datacenter Traffic Allocation while Guaranteeing Deadlines,” 2016 IEEE 23rd International Conference on High Performance Computing (HiPC), Dec. 19-22, 2016, 9 pages, IEEE, Hyderabad, India.
  • Ray, Saikat, et al., “Always Acyclic Distributed Path Computation,” University of Pennsylvania Department of Electrical and Systems Engineering Technical Report, May 2008, 16 pages, University of Pennsylvania ScholarlyCommons.
  • Sarhan, Soliman Abd Elmonsef, et al., “Data Inspection in SDN Network,” 2018 13th International Conference on Computer Engineering and Systems (ICCES), Dec. 18-19, 2018, 6 pages, IEEE, Cairo, Egypt.
  • Taleb, Tarik, “D4.1 Mobile Network Cloud Component Design,” Mobile Cloud Networking, Nov. 8, 2013, 210 pages, MobileCloud Networking Consortium, retrieved from http://www.mobile-cloud-networking.eu/site/index.php?process=download&id=127&code=89d30565cd2ce087d3f8e95f9ad683066510a61f.
  • Tootaghaj, Diman Zad, et al., “Homa: An Efficient Topology and Route Management Approach in SD-WAN Overlays,” IEEE Infocom 2020—IEEE Conference on Computer Communications, Jul. 6-9, 2020, 10 pages, IEEE, Toronto, ON, Canada.
  • Valtulina, Luca, “Seamless Distributed Mobility Management (DMM) Solution in Cloud Based LTE Systems,” Master Thesis, Nov. 2013, 168 pages, University of Twente, retrieved from http://essay.utwente.nl/64411/1/Luca_Valtulina_MSc_Report_final.pdf.
  • Webb, Kevin C., et al., “Blender: Upgrading Tenant-Based Data Center Networking,” 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), Oct. 20-21, 2014, 11 pages, IEEE, Marina del Rey, CA, USA.
  • Xie, Junfeng, et al., A Survey of Machine Learning Techniques Applied to Software Defined Networking (SDN): Research Issues and Challenges, IEEE Communications Surveys & Tutorials, Aug. 23, 2018, 38 pages, vol. 21, Issue 1, IEEE.
Patent History
Patent number: 12659719
Type: Grant
Filed: Jun 12, 2023
Date of Patent: Jun 16, 2026
Patent Publication Number: 20240414520
Assignee: VMware LLC (Palo Alto, CA)
Inventor: Guang Lu (Beijing)
Primary Examiner: Eunsook Choi
Application Number: 18/208,358
Classifications
Current U.S. Class: Hand-off Control (370/331)
International Classification: H04W 8/18 (20090101); H04L 69/22 (20220101); H04W 12/37 (20210101); H04W 76/12 (20180101); H04W 92/02 (20090101);